Crafting a security policy that reflects the needs of different stakeholders
Security is everyone’s responsibility, so security policies should reflect the needs and interests of an organization’s many different functions and stakeholders.
Cross-functional input and buy-in
Principal among those other functions and stakeholders are the corporate legal team, finance, human resources, procurement, production, and administration. Of course, IT supports all of them in their secure access and use of technology, applications, and data.
As part of crafting an organizational security policy, it is important to clearly explain the goals of developing such a policy, answer any questions to clarify misunderstandings, and solicit their input and support. Keep stakeholders informed of the policy’s development and let them know that you value their advice. Doing so will help ensure that when the policy is ready for organizational adoption, they will already have bought into it, given that their input helped draft it.
In addition, consideration must be given to a company’s executive leadership, which typically consists of the heads of these functions as well as the CEO, president, and COO. Many professional services firms — such as law firms, accounting practices, and business consultants — are organized as partnerships with a managing partner or director heading all administration. In any case, many if not all of these other functions exist, too.
Understand the differing security concerns across the teams and departments
As you gather input from different functions, you’ll discover their security concerns will vary, depending on their working contexts.
For example, legal has ethical and regulatory requirements for the intellectual and knowledge assets they must handle. Finance and accounting need ready access to financial data for planning and reporting but must be careful about leaks, especially if the company is publicly traded. Human resources staff needs employee data secured, often in compliance with various privacy regulations, and must be able to conduct easy onboarding of new hires and to terminate access privileges immediately whenever an employee leaves the firm.
Nevertheless, these and all other teams and departments share a common desire in the overall organization’s security: They want it to be frictionless, so they can quickly and easily access the data, information, and knowledge assets they need from wherever they’re working.
iManage Work 10 and iManage Cloud, along with our iManage security-related offerings, can help organizations achieve the balance between security and accessibility that’s right for their particular requirements. In addition, these solutions provide flexibility and scalability to adapt to a company’s changes — mergers, acquisitions, or divestitures — and growth over time.
Find out more about securing your knowledge and sensitive data while balancing protections and accessibility; Protect knowledge and secure your vision.
About the author
Manuel Sanchez
Manuel Sanchez is Information Security & Compliance Specialist at iManage with extensive professional experience in information security, governance, and compliance.