The Security Policy Life Cycle: Functions and Responsibilities

Most information security practitioners normally think of security policy development in fairly narrow terms. Use of the term policy developmentusually connotes writing a policy on a particular topic and putting it into effect. Use of the security policy life cycle approach to policy development can ensure that the process is comprehensive of all functions necessary for effective policies. Overall, policy creation is probably the most easily understood function in the policy development life cycle because it is the one that is most often encountered and which normally requires the readily identifiable milestones. Policy review is the second function in the development phase of the life cycle. Once the policy document has been created and initial coordination has been effected, it must be submitted to an independent individual or group for assessment prior to its final approval. Once the policy has been formally approved, it passes into the implementation phase of the policy life cycle.