Policies and Standards and Procedures – Oh My!

March 31, 2021

• Policies are key to building a strong information security program and culture
• Step up security awareness and training to support policy adoption
• Avoid policy overload by following established frameworks

From a security engineering point of view, policies and procedures often feel like afterthoughts. Once the technical controls are in place to protect data and systems – e.g., a strong chain of firewalls, intrusion protection, anti-malware and secure authentication – the business value of having policies, standards and procedures documented is perceived as low. Why do system users need to understand and acknowledge their part in keeping data secure?

Personal experience has led me to respect policy’s role in a security program. A few years ago, I was working with a team of engineers in a highly secure data center. We configured firewalls and gateways to protect the network. The wall around the network was solid. But what about the people inside? We realized we had to manage their activity as well. To this end, we began to lock down Internet access and set up strict controls around Flash and JavaScript due to vulnerabilities associated with those web functions.

Perhaps we shouldn’t have been surprised to find we faced a user rebellion. Websites that the training division used stopped functioning due to the restrictions on Flash. The Marketing team was unable to get materials to their creative partners because we restricted uploads to the cloud. More complaints rolled in. Underlying the complaints was a valid question: What policy required the restrictions on Internet activity and on whose authority was this put in place?

When Technology and Culture Don’t Fit

Sometimes secure technology gets ahead of policy. Users are understandably confused and annoyed when they find something they could do yesterday – like transfer a file to a business partner – is no longer possible. Smart people will find ways around security gates, whether through cloud uploads, data transferred via unencrypted USB drives or the use of reverse proxies. They may not realize they’re exposing the organization to increased risk. IT security tools alone are often not enough to change behavior.

Good IT policy is like a blanket: It should securely cover all the corners and provide protection and assurance – not just a feeling of comfort. But sometimes it gets pulled over to one side, leaving another side exposed (competing priorities, lack of resources, short term needs, etc.). And sometimes people intentionally stick their legs out from underneath to escape its purpose (rogue staff, noncompliance, too heavy). And finally, sometimes it needs to be washed, mended or replaced to become purposeful again (review, revision, adaptation to change, ensuring relevance, closing holes.)

Organizations need policies for acceptable use of technology, as well as standards for data protection. The policies should explicitly state why the security measures are in place: how do they protect sensitive information and support the organization’s mission?

Policies come from the top – from the CIO, CISO, legal counsel or other executive responsible for security. The intent of the policy is to manage risk to a level that is acceptable, as determined by the C-Suite. The security team is not dictating what should happen, but executives are. In addition, every policy governance structure should have an exception process where businesses can spend the money to either provide compensating controls at their own expense or justify their position to the executives on why their business needs an exception.

Executive support is key to creating a culture of security across the organization. Training and awareness programs help spread the word and spark change. When company employees agree with security rationale, they follow the guidelines. Even if there are still those who stretch the rules, the core culture of protecting and safeguarding information will be in place.

Unconventional Training and Awareness

When I mention training and awareness, you may think of an Internet video or PowerPoint presentation. I’m thinking of the time when a joint Legal and Information Security team from went to the company cafeteria to hand out cards with the new information classification system. This was part of a data labeling and data loss prevention rollout. The colorful cards clipped onto employee badges and had quick tips for identifying and protecting data. Each card was handed out along with a snack or dessert. It was the first time I saw people lining up eagerly for security training.

Gamification is also an encouraging development in security training. To complete ethics training, some companies have employees play a game where the user is placed in challenging situations, such as being asked to send a bribe to a local official to get building permits. If the user agrees – oops! He/she just lost a level. Security awareness can also use games and scenarios to make learning interesting and memorable.

Just Enough Policy

While organizations need policies and standards, too many of these can become a burden and over-complicate business processes. Prioritize the essential policies and standards by identifying the regulatory needs of the organization. Ensure that, at a minimum, policies address those requirements.

Sending each employee a 100-page acceptable use policy to review is unlikely to garner a lot of positive feedback. Policies themselves should be quite short – ideally just a page or two. Standards can be longer, as they flesh out details of the requirements and implementation. Procedures are often technical and can be as long as needed to ensure that configuration and settings are correctly applied to meet policy and standards.

Table 1: Policies, Procedures, Standards, and Guidelines

Some organizations have too many policies and need to consolidate or reduce them. When a policy or standard is reviewed to determine whether to keep or retire it, ask:

Once you have a structured policy library in place, you have taken steps to satisfy the requirements of many industry and government regulations, including Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and the Cybersecurity Maturity Model Certification (CMMC).

Frameworks and Templates

Policies and procedures should be based on established frameworks and the organization’s role in government, critical infrastructure or industry will guide framework adoption. Examples of frameworks include the NIST Cybersecurity Framework (CSF), ISO/IEC programs, Federal Financial Institutions Examination Council (FFIEC) standards and PCI SSC standards.

To begin, identify the current policies and standards in use by your organization. An initial exercise may include cross-referencing these documents to the selected control framework or standard. A gap assessment will detect areas that are not sufficiently addressed in existing policies, standards and procedures. Out of this exercise will emerge a list of key policies and standards that need to be developed or updated.

The next step is to set up a template to use consistently for policies and standards. Typically, the template for standards will include sections shown here:

Table 2: Template Example

Documents may be developed internally or with the help of a consultant and experience with framework requirements is often helpful. A consultant familiar with PCI or HIPAA can help your organization write policies and standards that meet those requirements.

So consider the humble “P&P” – policies and procedures. Not as exciting as a new firewall, but still an important part of a security program. By keeping your organization’s policies current and relevant, you provide essential direction and practical guidance to keep data secure and protected.

Peer review and contributor: Matthew D. Lammers – Manager, IT Risk Transformation & Advisory CISO