Discuss the approaches to policy development presented in this chapter. In your opinion,
which is best suited for use by a smaller organization and why? If the target organization
were very much larger, which approach would be more suitable and why?
The approaches employed in policy development in this chapter include SecSDLC, the
Information Security Policies Made Easy Approach, and NIST SP 800-18, Rev. 1.
SecSDLC (Security System Development Life Cycle): This approach emphasizes integrating
security into the software development lifecycle. It's a comprehensive methodology that ensures
security considerations at every stage of a project. For smaller organizations, the SecSDLC approach may
appear overly resource-intensive and complex. Smaller organizations often lack the resources and
personnel to implement such a rigorous process. Instead, they may benefit from a more streamlined
approach.
The Information Security Policies Made Easy Approach: This approach is designed with simplicity
and practicality in mind. It aims to make security policy development accessible and easy to understand.
Smaller organizations, which may have limited resources and dedicated security personnel, can benefit
from this approach. It allows them to create effective security policies without the need for extensive
expertise or resources, making it a more suitable choice for their scale.
NIST SP 800-18, Rev. 1: The NIST framework reinforces a business process-centered approach to
policy management. It provides a comprehensive guideline that can be adapted to organizations of
various sizes. In the case of a very large organization, the NIST approach may be particularly suitable.
Larger organizations often have more complex structures and more resources at their disposal. NIST's
comprehensive framework allows them to manage security policies at scale, aligning with their intricate
business processes and resource availability.
