Policies and Standards and Procedures – Oh My!
Policies and Standards and Procedures – Oh My!
March 31, 2021
- Policies are key to building a strong information security program and culture
- Step up security awareness and training to support policy adoption
- Avoid policy overload by following established frameworks
From a security engineering point of view, policies and procedures often feel like afterthoughts. Once the technical controls are in place to protect data and systems – e.g., a strong chain of firewalls, intrusion protection, anti-malware and secure authentication – the business value of having policies, standards and procedures documented is perceived as low. Why do system users need to understand and acknowledge their part in keeping data secure?
Perhaps we shouldn’t have been surprised to find we faced a user rebellion. Websites that the training division used stopped functioning due to the restrictions on Flash. The Marketing team was unable to get materials to their creative partners because we restricted uploads to the cloud. More complaints rolled in. Underlying the complaints was a valid question: What policy required the restrictions on Internet activity and on whose authority was this put in place?
When Technology and Culture Don’t Fit
Sometimes secure technology gets ahead of policy. Users are understandably confused and annoyed when they find something they could do yesterday – like transfer a file to a business partner – is no longer possible. Smart people will find ways around security gates, whether through cloud uploads, data transferred via unencrypted USB drives or the use of reverse proxies. They may not realize they’re exposing the organization to increased risk. IT security tools alone are often not enough to change behavior.
Good IT policy is like a blanket: It should securely cover all the corners and provide protection and assurance – not just a feeling of comfort. But sometimes it gets pulled over to one side, leaving another side exposed (competing priorities, lack of resources, short term needs, etc.). And sometimes people intentionally stick their legs out from underneath to escape its purpose (rogue staff, noncompliance, too heavy). And finally, sometimes it needs to be washed, mended or replaced to become purposeful again (review, revision, adaptation to change, ensuring relevance, closing holes.)
Organizations need policies for acceptable use of technology, as well as standards for data protection. The policies should explicitly state why the security measures are in place: how do they protect sensitive information and support the organization’s mission?
Policies come from the top – from the CIO, CISO, legal counsel or other executive responsible for security. The intent of the policy is to manage risk to a level that is acceptable, as determined by the C-Suite. The security team is not dictating what should happen, but executives are. In addition, every policy governance structure should have an exception process where businesses can spend the money to either provide compensating controls at their own expense or justify their position to the executives on why their business needs an exception.
Executive support is key to creating a culture of security across the organization. Training and awareness programs help spread the word and spark change. When company employees agree with security rationale, they follow the guidelines. Even if there are still those who stretch the rules, the core culture of protecting and safeguarding information will be in place.
Unconventional Training and Awareness
When I mention training and awareness, you may think of an Internet video or PowerPoint presentation. I’m thinking of the time when a joint Legal and Information Security team from went to the company cafeteria to hand out cards with the new information classification system. This was part of a data labeling and data loss prevention rollout. The colorful cards clipped onto employee badges and had quick tips for identifying and protecting data. Each card was handed out along with a snack or dessert. It was the first time I saw people lining up eagerly for security training.
Gamification is also an encouraging development in security training. To complete ethics training, some companies have employees play a game where the user is placed in challenging situations, such as being asked to send a bribe to a local official to get building permits. If the user agrees – oops! He/she just lost a level. Security awareness can also use games and scenarios to make learning interesting and memorable.
Just Enough Policy
While organizations need policies and standards, too many of these can become a burden and over-complicate business processes. Prioritize the essential policies and standards by identifying the regulatory needs of the organization. Ensure that, at a minimum, policies address those requirements.
Sending each employee a 100-page acceptable use policy to review is unlikely to garner a lot of positive feedback. Policies themselves should be quite short – ideally just a page or two. Standards can be longer, as they flesh out details of the requirements and implementation. Procedures are often technical and can be as long as needed to ensure that configuration and settings are correctly applied to meet policy and standards.
Table 1: Policies, Procedures, Standards, and Guidelines
|Policies||Policies are high-level statements that set the tone and temperament of management’s direction around logical, physical and managerial practices. Policies are generally not technology-specific or vendor-specific; and do not change frequently over time.||
All passwords used to access information assets must conform to IT security standards relating to composition, length, expiration and confidentiality.
|Standards||Standards provide detailed and mandatory requirements for personnel in protecting organizational information and carrying out their job duties. Any deviation from a standard must be approved by management and documented.||
|Password Standards (all platforms)
|Procedures||Procedures set the path for personnel in performing their job responsibilities around a specific activity. Procedures are the detailed step-by-step activities and tasks to follow. Procedures also provide prescriptive guidance on steps to take in order to comply with security policies, standards, and guidelines.||
|Enterprise Change Procedure
All enterprise changes must be submitted to the Change Control Committee for change analysis. Upon receiving the change request, the committee will evaluate complexity and impact. Once approved, an owner will be assigned to oversee development, testing, and implementation of the change.
|Guidelines||Guidelines provide recommended but not mandatory guidance for personnel in protecting company information and carrying out job responsibilities. Deviations from guidelines do not require management approval.||
|Intranet Site Creation
Use this guideline to your advantage by adhering to the following recommendations:
Some organizations have too many policies and need to consolidate or reduce them. When a policy or standard is reviewed to determine whether to keep or retire it, ask:
- Is this document integral to maintaining secure and compliant operations?
- Is this document required for regulatory compliance or certification audit?
- Does this document provide critical information for employees on appropriate usage or actions?
- What are the ramifications of not having policy that addresses this area?
Once you have a structured policy library in place, you have taken steps to satisfy the requirements of many industry and government regulations, including Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and the Cybersecurity Maturity Model Certification (CMMC).
Frameworks and Templates
Policies and procedures should be based on established frameworks and the organization’s role in government, critical infrastructure or industry will guide framework adoption. Examples of frameworks include the NIST Cybersecurity Framework (CSF), ISO/IEC programs, Federal Financial Institutions Examination Council (FFIEC) standards and PCI SSC standards.
To begin, identify the current policies and standards in use by your organization. An initial exercise may include cross-referencing these documents to the selected control framework or standard. A gap assessment will detect areas that are not sufficiently addressed in existing policies, standards and procedures. Out of this exercise will emerge a list of key policies and standards that need to be developed or updated.
The next step is to set up a template to use consistently for policies and standards. Typically, the template for standards will include sections shown here:
Table 2: Template Example
|Standard Statement||The standard’s intent, when the standard applies and any mandated actions or constraints|
|Scope||Systems, sites and personnel affected by the standard|
|Definitions||Terms specific to the standard|
|Responsibilities||Who is responsible for implementing standard and procedures?|
|Compliance||repercussions for violating the standard|
|Related Information||Information Related policies, websites and documents that provide supplemental information to the standard|
|Revision History||Brief description of any revisions to the standard|
Documents may be developed internally or with the help of a consultant and experience with framework requirements is often helpful. A consultant familiar with PCI or HIPAA can help your organization write policies and standards that meet those requirements.
So consider the humble “P&P” – policies and procedures. Not as exciting as a new firewall, but still an important part of a security program. By keeping your organization’s policies current and relevant, you provide essential direction and practical guidance to keep data secure and protected.
Peer review and contributor: Matthew D. Lammers – Manager, IT Risk Transformation & Advisory CISO