Policy
The following content pertains to information security policy, and perhaps to IT policy more generally. The intent is to focus on information security although reference may be drawn to business policy more generally. Definitions of policy vary.
Policy: A principle or rule to guide decisions and actions.
A policy hierarchy consists of multiple levels of policy content, each level increasing in degree of specificity, and generally narrowing in scope of audience and applicability. An example of a policy hierarchy:
- Principle: Guiding axiom or statement meant to give context, enlighten, aid in making difficult decisions. Principles explain the established sentiments or beliefs of the organization. Principles are most helpful when confronting situations that are neither black nor white, but of some degree of gray.
- Policy: Statements of management intent, designed to promote desired behavior and achieve outcomes consistent with management expectations, risk tolerance and commitment.
- Standard (Requirement): Closely related to policy, standards may explicitly state requirements where it might otherwise be considered to strong or harsh to do so in policy. Culturally it may, or may not be desirable to separate requirements from policies. In some cases it is merely an matter of semantics. In other cases, where a greater degree of flexibility and granularity are needed standards may be helpful.
- May contain words like MUST, MUST NOT, SHALL, SHALL NOT, etc. Positive voice is generally preferable to negative voice.
- Baseline (Template): Specific instructions regarding the configuration and deployment of specific technologies. Usually baselines are product specific.
- Procedure: Detailed step by step instructions for performing a business task or function. Written procedures are needed where variance in process execution is undesirable, especially when the procedural steps themselves constitute controls.
- Guideline: Recommendations that are meant to be followed unless some circumstances exist that dictate otherwise. Discretion is left to the user to make a risk-based decision, balancing cost and resources against the degree of risk accepted by not adhering to the guideline.
- TYPES:
- Division
- Local
- Issue-specific
- Process specific
CULTURE
Policy must be congruent with the culture of the organization. Changes must be incremental and sustainable. Must be realistic and enforceable. Perhaps you simply begin with the 20 Security Controls.
Policy Awareness: Policies aimed at large audiences with relatively general content are well-suited as the subject of awareness campaigns. Those who are expected to comply with the policy must understand:
- Why does the policy matter?
- What IS the policy?
- What are the benefits of following the policy?
- What are the consequences of not following the policy?
Kick off an awareness campaign or training session with a recorded message from the leader of the organization, stating the executive support expectations and desired outcomes.
Policy Training: Specific course, presentation or webinar that presents the policy and related requirements to the audience.
Policies, Requirements and Procedures, like Goals should be SMART:
- Specific
- Measurable
- Achievable
- Realistic
- Time Dimensioned (Most commonly neglected)
When procedures ask the following questions:
- Who does the procedure?
- What is the procedure?
- When is the procedure done?
- Where is the procedure done?
Often overlooked: Policy and procedures for contacting law enforcement
Policy Needs Assessment. Gather input from the following sources:
- Existing information security policies
- Consider a documentation collection effort to identify and gather all that is relevant and written down.
- Gather the firewall policy, translate to English and consider whether it would be approved by executive mgmt.
- new employee orientation
- audit / general controls review
- Security incidents
- Industry trends
- laws/ regulations
- standards/frameworks
- incident handling
- business continuity
- contract requirements
- organizational mission & goals: Assumptions, beliefs, values, vision, strategies, execution statements
- gap analysis
- security exceptions requests, approvals, etc.
Don’t forget Roles & Responsibilities
- Executive Leadership
- Management
- End Users
- Individual Contributors
- Information Security Personnel
- IT Admins/Support
- Operational managers and system users
Create handbooks for well-established, defined positions
Policy Development
- Determine the specificity of the policy: General or Specific
- Apply SMART and Who/What/When/Where/Why
- Policy Parts: Body and Header:
- Purpose,
- Overview
- Background
- Related Policies, Reference
- Expiration
- Scope
- Responsibility
- Compliance
Policy types
- File Sharing
- Computer Sanitization/Disposal
- IRC, Messaging
- Peer to Peer
- Spam, unauthorized attachments
- Wireless
- Clean Desk
- Acceptable Use, Banners (Scope, external, internal, etc.)
- Social Media
- Code of Ethics
Policy Lifecycle
- Identify Problem (Risk)
- Analysis
- Design Draft Policy
- Policy Approval Process
- Awareness and Education
- Assess
- Review Cycle, Renew
