How to create information security policies?
Updated: Jun 30, 2019
Need for information security policies
A policy contains management decisions, directions, guidance, expectations, needs and wants from its organization. These are the statements that guide the organization, establishing guidance on how it should act, think and make their own decisions. A security policy is pretty much the same. These policies forms the foundation of control for the organization. Controls that are determined by the expected behavior from the organization by the management. In the absence of policy (and by extension, control), an organization might deviate from the modal behavior that its management intents. Often the senior management lacks understanding of information security domain, resulting in policy decisions being delegated to other competent members in the organization (or some times outsourced), which gives rise to an ownership issue.
Policy creation, a RASCI perspective
Accountable: With all its “Due Care” responsibilities, management is “Accountable” for the creation of information security policies. In absence of information security policies, the organization will ask for management’s decision on a day-to-day basis which will make the management inefficient and ineffective.
Responsible: Due to the nature of this topic, management will (most often) delegate the “Responsibility” to create policies to a subject matter expert, typically the Chief Information Security Officer (CISO) of the organization. CISO, working with the management and other subject matter experts develops policies that are in line with the management’s vision, mission and strategy.
Consulted: CISO will consult respective subject matter experts when forming policies related to specific domains. For example, when forming a policy around cryptographic standards, the CISO might consult his security architect to select the right cryptographic controls.
Supported: CISO implements the policies under the authority as assigned by the management, but with the “Support” of the other subject matter experts. Management provides support for this activity with human resources and other financial resources that are required. Note that cost could be a factor in policy implementation.
Informed: A policy is only effective, if the staff who are targeted through these policies are “Informed” of the policies, and if they are well trained in tools, technologies and processes that are required to implement the policy.
Approaches to policy creation
Risk based approach: As with most of the topics within the information security domain, the organization forms information security policies to address its risks to Information Assets. The policy statements are designed around modeling the organization ‘s behavior so that the risks are minimal. A pure policy (i.e. directive controls) based control has its own advantages (e.g. cost savings) and disadvantages (e.g. impossible to detect).
FAQ based approach: The management often receives requests for its decision, approvals, advice and guidance. A policy statement could answer all these questions, effectively setting the management expectations on those matters.
Compliance based (Legal, regulatory, contractual, and standards): Most of the legal, regulatory, contract and standards that applies to the organization requires it to setup a set of information security policies. This might lack specific policies which the organization might requires. But it would be a good starting point that provides a baseline security.
Reverse engineering: at least, document your current security practices, and seek management approval. This forms a baseline for your security program, which can be improved over time, using other methods discussed here. Having a security policy in itself is a good starting point.
Internet search: look for relevant news, articles related to topic to understand the subject and common themes which are repeated in those materials. Existing policies can be improved to address the needs of these emerging threats.
Reasons for non-conformance
Lets face it. No body likes a new policy. A new policy mostly implies additional constraints that is put on technologies, processes or people working for the organization. Our natural tendency is to offer resistance to such change. Following are some of the actions that you need to take when a new policy is implemented:
Awareness and training: People are generally not interested in reading documents to understand information security policies. Organizations need to do a better job in raising awareness around the policies that are implemented. An email communication is the least of all. There must be additional channels of communications such as Town-hall speeches by the management, flyers, cartoons, etc.
Policies not supportive of business objectives: Policies must align to an organization's business objectives. It should be clear to the organization how (and why) these security policies enable or protect its business objectives. This understanding will enhance policy adoption.
Monitoring and control: Policies must be monitored for effectiveness and efficiency. Security governance forum must be mandated with the responsibility to define, establish, maintain and continually improve the organization's security policies. Without adequate monitoring, these policies will spin out of control.
Not having consequences: It is important for people understands how a breach in policy impacts the organization's business objectives. Violating these policies must have consequences that is proportionate to the risk exposure on an organization's business objectives.
Measure effectiveness of security policies
It is important to understand the effectiveness of policies that are established within your organization. Each policy adds on to the burden (in terms of implementation cost, awareness and monitoring) of people who are managing them. I could propose couple of measurements:
Number of 'exception to policies': 'Exception to policies' request is raised by the organization when they are unable or unwilling to follow the policy (whatever the reasons may be). This is a good indicator to understand how the security policy's impact on the rest of the organization's business processes.
Security incidents due to policy violation: An inappropriate policy will definitely result in breaches. A log of such incidents is an additional source of information to understand the appropriateness of an organization's information security policies.
Both measures assumes that the organization bothers to raise an 'exception to policy' or report security incidents when policies are breached. This in itself is a good indication of a strong security program within the organization. Both measures must be captured against each of the security policy (by category) and reviewed at a governance forum, ensuring actions are taken when it trends out of control.
In general, there is not just one way to create cyber or information security policies. I would recommend a hybrid approach. Start with a compliance based approach (especially, the one based on ISO/IEC 27001/27002 international standards), and add-on or refine policies based on the Risk based approach. Over time, you will have an effective and efficient policy that is fit for your organization. Policy, like any other artifact, must be reviewed constantly, at least annually, or when major changes happens.