The Security Policy Life Cycle: Functions and Responsibilities

Most information security practitioners normally think of security policy development in fairly narrow

terms. Use of the term policy development usually connotes writing a policy on a particular topic and

putting it into effect. If practitioners happen to have recent, hands-on experience in developing

information security policies, they may also include in their working definition the staffing and

coordination of the policy, security awareness tasks, and perhaps policy compliance oversight. But is

this an adequate inventory of the functions that must be performed in the development of an effective

security policy? Unfortunately, many security policies are ineffective because of a failure to acknowledge

all that is actually required in developing policies. Limiting the way security policy development is

defined also limits the effectiveness of policies resulting from this flawed definition.