I am constantly surprised and disappointed that policies and procedures aren’t taken more seriously. They are the blueprint of your corporate culture, the single most important aspect of your security program, and by far the easiest and cheapest things to put together (in terms of capital costs anyway).
Even a ‘controls only’ standard like the PCI DSS is roughly 40% ‘paperwork’, but, with the possible exception of the risk assessment, remains the most common tick-in-the-box exercise of them all. Which is a shame really, as it should be enough that thieves want to steal your data, why make things worse by not preventing your own employees from virtually giving it away?
Policies and procedures generally consist of 4 main types:
- Policies – the dos-and-don’ts of your entire organisation and use language like will / must / shall. e.g. Your password policy states that you MUST use strong authentication for access to systems containing data above a certain classification;
- Procedures – describe HOW you implement the policies in YOUR organisation. They are detailed, ‘living’ documents that prevent the constant re-inventing of the wheel when faced with performing standard functions. e.g. this is how you implement strong authentication for all relevant systems / applications etc.;
- Standards – A very detailed document that explains exactly HOW something is to be configured. From operating system hardening guides to firewall rulesets. e.g. the details the actual password elements that constitute ‘strong’ (7 characters, alpha-numeric, change every 90 days etc.).; and
- Guidelines – The only non-mandatory element of the policy and procedure framework, and provide good-practice guidance on how to implement a policy requirement. e.g. Don’t use birthdays, don’t use names of children, consider a pass-phrase as opposed to a password etc.
However, you can have the most polished documentation ever, and still completely miss the mark. It’s not about the paperwork itself, it’s about the enforcement of what’s IN the paperwork. A policy is only ever as good as the understanding of it, and the adherence to it.
Unfortunately, this is where most organisation fall down, and one or most of the following challenges apply:
- Policies not in-line with corporate culture or day-to-day business process – Policies should be owned, and even written BY the CEO / BoD, who else is responsible for the culture, direction, and future of an organisation more than them? Too often this is delegated to departments or individuals without the necessary authority or experience to perform the function properly. A document coordinator MUST be a subject matter expert.
- Undocumented procedures result in numerous (usually unintentional) breaches in policy outside of formal exception/variance processes – Just because a policy is in place, does not mean anyone knows how to implement it. Every department in an organisation is responsible to describe how each and every task is accomplished. Without procedures and standards, policies can become unenforceable, and every new employee has to reinvent the wheel every time they want to accomplish what should be a standard task.
- Policies are undistributed, unenforced, or mis-understood – Just because you HAVE policies, or even procedures, if no-one knows where they are, what they mean, or how to measure against them, they are just pieces of paper. Security Awareness Training programs should start with a comprehensive look at corporate policies.
- Poor document management or lack of integration with formalised training mechanisms – Without a robust document management system, it’s very difficult to both maintain the integrity of the policy and procedure documentation, and very difficult to distribute and enforce them.
- No feedback or measurement processes – Per the old misquoted cliche; you can’t manage what you can’t measure, and unless policies are seen as living documents with company wide feedback mechanisms in place, they can rapidly become obsolete.
I do not use the word ‘recommend’ lightly, but I HIGHLY recommend that before you implement ANY aspect of your security or compliance program, you get your policies in place. At the VERY least do this in parallel with a risk assessment and business process mapping exercise.
While most high profile breaches focus on what went wrong technically, I can almost guarantee the original failure was one of education in the most basic of all security foundations; policies, standards and procedures.
[If you liked this article, please share! Want more like it, subscribe!]