Developing Useful Information Security Policies

Going through the process of developing a set of policies for your workplace is a must as you reach some point of growth within your organization. Many companies operate for years without taking the time to develop a standard set of information security policies. We have started to see an uptick in the number of organizations making the move toward budgeting time for policy development, testing, and implementation as a result of the various regulatory requirements the business may be subject to. I want to take a moment of your time to cover some areas I recommend you think about as you go through the process of putting together the necessary policies for your organization.

To begin, take some time to get a firm grasp on your need for the policies you are about to develop. Are you facing a new set of regulatory requirements which specify a compliance requirement around documentation of policies or procedures? Many companies are working to better comply with their in scope areas of the PCI DSS for example. Building a strong set of documentation is a great way to guide the direction of internal initiatives toward compliance. Maybe your company has seen a shift in management thinking toward using an industry standard framework for policy content. Several robust frameworks exist which can begin to make sense of the policy sprawl that can develop over time. The ISO 27002 framework is a recommended set of guidelines you should consider for your implementation. The areas covered by the ISO 27002 are:

1. Security Policy
2. Organizing Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisitions, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance

As you can see the topics covered in this framework touch on many of the important areas corporations should work ensure information security guidance exists. In some cases you may need to build out your policy set using a core framework and adding in secondary areas of coverage specific to your compliance requirements at the end or in a related area of coverage within the document. The ISO 27002 framework is available for purchase from the International Organization for Standardization website. (http://www.iso.org/iso/catalogue_detail?csnumber=42103) Other frameworks worth taking the time review and potentially use/integrate are:

1. CobIT
2. COSO
3. HITRUST CSF

Once you have identified the framework that is the best fit for your organization, take a moment to plan and document the format you will be using. Many corporations may already have documentation that outlines the format requirements for policies and procedures. What guidance already exist may need to be expanded upon for the project you are about to undertake.

Policy structure in many cases will be created in two different ways. In some organizations we see policies developed in what I may call a topic silo. Each area of coverage has a policy, a directly related standard, and any underlying procedures. The other type of design would be a policy tree where there may be an overarching document which contains the top level policies. From there the topics break out into standards and procedures documentation on separate documents. Metaphorically the tree trunk would be the main policy container. The tree branches would represent the standards in which cover additional detail not included with the policy. Finally the leaves on the tree would represent the procedures which are the most specific of the documentation; supported by the standards and the policies.

To ensure your efforts are not in vain, consider who your core contributors will be. This would be comprised of two separate groups of individuals. The first team would be comprised of managers and team leaders from effected departments within your organizations. If this group is not on board with the policies being created there is a high likelihood many roadblocks will appear throughout the process of implementation. Political wrangling frequently occurs during this process. The second group is comprised of knowledge workers. This team will be key to outlining supporting standards and procedures as the documentation progresses. The required interaction of both groups will ensure the documentation is not only thorough but ensures key staff members have an awareness of the company policies being put in place. Their involvement will create a vested interest in their implementation and the success of the project.

As you begin to write out your policies consider the structure and the template you will be using. Two key components of a successful set of policies are readability and consistency. Consider introductory information, change control, breakout of subcomponents, logos, disclaimers, fonts, defining maintenance periods and related tracking information, and what happens when someone or something is not in compliance. These are just a few possible line items you want to consider including in each and every document. In some cases you may also want to add language which ties a policy subcomponent to a specific part of your environment. For example you may write a policy which conflicts with what is required by PCI DSS. In this case consider creating a subsection that defines policies required by PCI DSS and state that this section only applies to that area of your environment. (Example: Log retention for overall network is 3 months before purge or rollover and 1 year for PCI DSS environment.)

The policies you write should remain at a high level. They should contain language which applies to the company as a whole or a major subcomponent of the company structure. Once a policy has been written and reviewed, consider if additional information is necessary to convey the information required. This would lead to the development of a standard containing details about the application and related requirements of the policy. If your content needs to be step-by-step specific a procedure would be necessary. This would complete the typical set of documentation necessary to cover information from a very high level to specific.

Once you have a section written out, hand it off for review and testing. Set turn time objectives for the review to occur. The review process will allow for areas needing additional coverage to be identified as well as gaps to be filled. Once feedback has been provided review the suggested changes for issues with compliance requirements and overlap with other content which may negate the need for a change.

The final stage of policy development is the approval and deployment process. This at times can be the most time consuming as a result of internal politics and multiple change suggestions be the approving party. Continue to drive approval as time passes to prevent project slippage. After approval has been received from upper management, HR, and legal, start deploying the content to staff. This can be a simple email to an employee distribution group, updating your intranet and sending a notification, or even handing the policy out and requiring a signature. Signatures are a great tool for policies where there is a likelihood of non-compliance and potential termination of employment for violators.

Build out a testing procedure to see how successful your policies have been in your work environment. This could be a settings check on a system or a spot check of employee understanding. The most important test is to ensure employees know that policies exist that effect their job, where they are located, who to ask questions to if they have any, and how to report violations.

As you can see developing a set of security policies goes through many stages, requires the input of several of your coworkers, and can take a significant amount of time to complete. What I have covered here is just a snapshot of some of the things we are seeing in the market, however I hope I have covered a few areas and provided some additional insight for your future efforts.