Information Security Policy in a Global organization

The Infosec Institute defined Information Security Policy as a set of "rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority" (InfosecInstitute, 2014). Further, Rob Johnson sees security policies as "a set of principles that communicates common rules across the enterprise"(Johnson, B., 2015).

            However, Security policies in a global organization are a bit cumbersome due to divergence in government regulations guiding information systems. It is, therefore "difficult to define and adhere to a coherent set of information security controls and policies in a global organization" (sans.org, 2002). Policy challenges can also arise due to mergers and acquisitions between firms with different risk appetite security policy.

            However, to mitigate such divergence in policies, global firms should endeavor to meet certain security policy requirement as itemized by SANS, some of these requirements include

1. ensuring Information security policies are consistent with the risk tolerance of each organization and willingness to accept the risk (SANS.org, 2002)

2. Global security must be in place if "networks and technology cause a risk in one region to be shared globally throughout the organization" (SANS.org, 2002)

3. Such policies must adhere to global approved structure "that gives adequate representation to all stakeholders and parallels the organizational structure of the policies themselves" (Sans.org, 2002).

            Tackling Security policy on a regional specific level may help mitigate some of the issues faced by global organizations, however, such policies must conform to an acceptable standard of the Headquarters. Per SANS, "the safest approach is to tackle the policies in the region-specific level, with the hope of setting a standard that can be extended globally at a later date with modifications if appropriate"(SANS.org, 2002). In such instance, such policy is within the guidelines of both the corporate headquarters and the local legislation rules.

References

InfosecInstitute, (2014). Key Elements of an Information Security Policy. Retrieved from:http://resources.infosecinstitute.com/key-elements-information-security-policy/

Johnson, B., (2015). Security policies and Implementation Issues (2nd ed). Burlington, MA:

Jones & Bartlett Learning. ISBN: 978-1-284-05599-3

 SANS.org, (2002). Security Policies in a Global Organization. Retrieved from:https://www.sans.org/reading-room/whitepapers/policyissues/security-policies-global-organization-501