Information Security Policy FAQ

These are frequently asked questions that commonly crop up when customers are thinking of purchasing our information security policy materials. If you have other questions or comments, do please let us know.


FAQ quick links


Q: We already have a bunch of security policies. What’s wrong with those?

A: You tell me! Does the fact that you are reading this FAQ mean you are not entirely happy with your existing policies? Or are you simply looking for improvement ideas? Either way, see just whether any of the following concerns ring true to you:

Limited scope

‘Security policies’ are typically restricted to IT, cyber or technical security matters in reality, leaving substantial gaps, especially in the wider aspects of information risk and security such as human factors, fraud, privacy, intellectual property, business continuity, business relationships and industrial espionage. In the absence of a reasonably comprehensive policy framework substantial holes in coverage are likely.

Poor quality

Good policy writingFor some obscure reason, corporate policies are often drafted in a stilted pseudo-legal style that makes them hard for ordinary people to comprehend. Do we really need to be told there are “three (3) requirements” that “include, but are not limited to, the following ...”? What’s wrong with “for example”, for example?

Instead of having to wade through pages and pages of mumbo-jumbo, or navigate a minefield of TLAs (Three Letter Acronyms) and obscure technology terms, wouldn’t it be nice to be told, succinctly and clearly, why a given security policy exists i.e. the background/business context succinctly outlining the information risks it addresses?

Add to that the general decline in standards of English grammar and spelling (despite the valiant efforts of non-native speakers), and soon we reach the point where policies verge on being unreadable. Is it any wonder, then, that workers often don’t bother at all, or if they do their interpretations may be rather different to what was intended?

Writing readable, motivational and actionable policies of any sort is a particular skill that takes years of practice: frankly, it’s a job for an experienced technical author, not the office junior.

Inconsistencies

Security policies that were drafted by various people at various times for various reasons, and may have been updated later by others, tend to drift apart as they evolve, becoming disjointed.  It is not uncommon to find bald contradictions, gross discrepancies or conflicts both within and without the policy set (e.g. differing interpretations of privacy laws and regulation), as well as outdated or missing references. That’s easy meat for the average auditor.

Security-related obligations or expectations are often scattered across the organization, partly on the corporate intranet (typically in several different places at once, in various states of disarray and decay!) and others embedded in employment contracts, employee handbooks, union rulebooks, printed on the back of staff/visitor passes and so on. Good luck keeping all that lot in check, coordinating and aligning the disparate expertise and objectives of Information Security, HR, IT, Risk Management, Legal/Compliance and others! 

Hint: even if a corporate style guide is both available and used, in practice policies often end up looking different and lacking coherence. We take pride in the look and feel of our model policies, as well as the content.

Lack of awareness

Policies are passive, formal, rather boring documents, in other words dust magnets. They exactly don’t fly off the shelves like best sellers. They take some effort to find, read and understand. Unless they are accompanied by suitable standards, procedures, guidelines and other awareness materials, and supported by structured training, awareness and compliance activities to promote and bring them to life, employees can legitimately claim that they didn’t even know of their existence - which indeed they often do when facing disciplinary action.

If they can also demonstrate readability issues, contradictions and ambiguities, their case is strengthened - further still if the policies are inconsistently applied and enforced.

Hint: management must walk-the-talk. “Do as I say, not as I do” is not a defensible position in an employment tribunal or court case. If managers bend or flagrantly disregard the information security rules when it suits them, they are inadvertently sending out a powerful message to workers in general that compliance is optional, and policies are worthless - which may be literally true. 

Lack of accountability

If it is unclear who owns the policies and to whom they apply, noncompliance is the almost inevitable outcome. This, in turn, makes it risky for the organization to discipline, sack or prosecute people for noncompliance, even if the awareness, compliance and enforcement mechanisms are in place. Do your policies have specific owners and explicit responsibilities, including their promotion through awareness and training? Are people - including managers - actually held to account for compliance failures and incidents?

Hint: if you don’t understand the distinction between accountability and responsibility, or between compliance and enforcement, you are once more missing a trick.

Lack of compliance

Quote from Larry Ponemon of the Ponemon InstitutePolicy compliance and enforcement activities tend to be minimalist, often little more than sporadic reviews and the occasional ticking-off. Circulating a curt reminder to staff shortly before the auditors arrive, or following a security incident, is not uncommon. Policies that are simply not enforced for some reason are merely worthless, whereas those that are literally unenforceable (including those where strict compliance would be physically impossible or illegal) can be a liability: management believes they have the information risks covered while in reality they do not. Badly-written, disjointed and inconsistent security policies are literally worse than useless.

Hint: think about reinforcement as well as enforcement. Aside from not being sanctioned, is there any obvious benefit for workers in fulfilling or ven exceeding their obligations? What’s in it for them?

Lack of process

Many of these issues can be traced back to inconsistencies in the way that security policies are generated, mandated, interpreted, applied and enforced by management. Documented policy management processes are rare in practice, implying no standard lifecycle for policies. Policy exceptions and exemptions (often confused but quite different in fact) are handled inconsistently. Simple housekeeping activities such as version control and scheduled periodic policy reviews are beyond many organizations, while policies generally lag well behind emerging issues such as the information security aspects of cloud computing, BYOD and the Internet of Things.

 

When you look at it dispassionately, not only is that a litany of issues but the causes are often deeply entrenched in dysfunctional organizational practices and poor corporate governance. Some unfortunate organizations would benefit from more or less scrapping their home-grown policies and starting afresh! A few have a firmer grip on the accountability and process issues but may be looking for inspiration in other areas, perhaps information security controls derived from the ISO27k standards to support their ISO/IEC 27001 Information Security Management System. Some fall in the middle ground with a mixture of policy materials that can simply be spruced-up with supplemental policies to plug the gaps ... but it’s easy to fall back into the trap by not completing the job to a consistent standard across the entire portfolio of policies. A surprising minority have no information security policies to speak of, begging big questions about their information risk, security, privacy, governance and compliance arrangements.


Q: Our information security policies must reflect our particular information risks and security requirements, so what use are generic policies?

A: Like the international standards on which they are based, the policies we supply are indeed generic and therefore need to be tailored to some extent for your organization. The policies concern typical information risks and promote commonplace information security controls, drawing from a wide range of security standards and experience. The generic policies provide a sound starting point. It is up to you to review and where necessary customize and adapt them to fit your unique context.

You may already have certain information risk and security policies or standards that need to be incorporated, for instance length and complexity parameters for passwords, although we hope you will consider the value of the suggested parameters and policy statements (you never know: we might just have come up with a better way of dealing with things or putting them across). Management may have determined that, for example, business continuity planning is out of scope of your information security function and hence the information security policies, perhaps because there is a separate department in charge of contingency planning, so you can trim out those policy statements accordingly. If, for instance, your organization has chosen to stick with Windows 7 rather than adopting Windows 10 or some other operating system, you should carefully check any policy statements concerning security patching and support.

Unfortunately, we can’t do that for you! However, customizing a set of model policies is much easier, quicker and cheaper than writing them from scratch. Starting with a suite of materials that were all written by the same person and are based on standards makes them more consistent and effective than compiling policies from a variety of sources.

We have invested literally hundreds of man-hours in researching, writing and refining the templates. You need only spend some small change from your budget to have your own professionally-written, coherent, comprehensive, high-quality and ISO27k-aligned policy set ready to go in next to no time.


Q: We are about to launch a project to implement an Information Security Management System (ISMS) and are weighing-up our options: should we do it all ourselves, engage a consultant, or start with your policy templates?

A: You are in a fortunate position if you have the skills and resources to do the ISO27k ISMS implementation entirely in-house! The ideal would be to find a project manager with prior experience of designing, implementing and perhaps operating and managing an ISO27k ISMS. At the very least, we would recommend putting some of your information security people through the Lead Implementer and/or Lead Auditor courses which are offered by several trustworthy organizations. If neither option applies, then yes we would definitely advise finding a suitable consultant to mentor and support an in-house ISMS project manager (usually the Information Security Manager) rather than simply take on a contract project manager to run the whole show. The point is that the ISMS will continue indefinitely, so it's best if your people have been in the driving seat for both the design and implementation, albeit with expert guidance.

Information security policy and procedures development is a discrete part of ISMS implementation. As we see it, you essentially have five options:

  1. Do the policy and procedures development entirely in-house, perhaps adapting and extending your existing materials in line with ISO/IEC 27001 and 27002. This is a good approach but relatively slow, and costly if you account for all the research and development and proofreading time needed. Do you even have the skilled person or people available and willing to dedicate sufficient time to this?
  2. Simply adopt a set of information security policies written by someone else - perhaps our generic policy set, or maybe pick from Charles Cresson Wood's huge set of 1300 ‘policies’ (most of which are actually standards). This is also a decent option but is unlikely to deliver a set of policies that exactly matches both your specific situation and the requirements of ISO27k. Your chances of finding useful security procedures this way are low - there is too much variation in security processes between organizations.
  3. Accumulate a set of policies and procedures based on various sources such as examples in books and on the Web. The original materials may be free or at least freely available (copyright compliance is itself an information security matter!) but you will need time to consolidate them, make them all consistent, deal with the overlaps and differences and fill in the inevitable gaps. This may or may not be quicker and cheaper than starting from scratch, depending on the quality and suitability of the materials you obtain. Either way, it is a lot of work. This is probably the most common method in practice, despite being a major cause of serious inconsistencies - meaning not merely different styles, formats and layouts but material discrepancies, conflicts and gaps in the policy content.
  4. A hybrid approach , taking a set of pre-written policies such as our policy set as a starting point but customizing/adapting them to suit your organization, and developing the supporting procedures etc. as needs be (perhaps using NoticeBored as a source). The cost of licensing commercial products is offset by the savings in R&D time and money, and by the quality of the product. We are convinced this is the best option for most organizations ... but of course we are biased! It’s up to you to weigh up the pros and cons.
  5. Employ a suitably qualified, experienced and competent consultant specifically to write precisely what you need. This is the most expensive and time-consuming approach, especially given that the consultant needs to research your specific situation and requirements first (and if they don’t even appreciate the need to do this, you have good reason to doubt their suitability). At the end of the assignment, provided you have chosen your consultant wisely, you should end up with a very nice set of security policies and procedures ... that you then need to implement ... and maintain ...

Visit www.ISO27001security.com for guidance on implementing the ISO/IEC 27000-series (“ISO27k”) standards, including a free ISO27k Toolkit.  If you want to discuss your proposed approach to implementing the ISO/IEC 27000 series standards, or get some tips on policies, awareness and all that, just let us know and we’d be pleased to help (within reason! Up to one hour of telephone/email advice is free of charge for customers. If your needs are more involved, talk to us about bespoke consultancy options and rates, including our virtual consulting service).


Q: As I understand it, an information security policy that will be circulated to all employees should be high-level, understandable and concise. Do your topic-based information security policies fit the brief?

A: Yes, we believe so - although how you actually circulate and use them, and precisely what they say, is of course up to you.

The corporate information security policy template is specifically intended to serve as the high-level over-arching policy statement and would normally be endorsed and mandated by senior management.  As such it promotes general security principles and summarizes key controls based on those recommended in ISO/IEC 27001.

The supporting topic-based policies align directly with NoticeBored’s topical approach to information security awareness. We specifically cover a different area every month, for several reasons:

  • It keeps the awareness program fresh, and stops it going stale;
  • It lets us respond to emerging and current issues including information security incidents, breaches and news from the headlines;
  • We provide briefings, presentations and guidelines in addition to the policies, so although the polices themselves are quite short (typically just 3 or 4 pages), the supporting materials explain and expand on them;
  • Last but not least, the rolling monthly program gets away from the dreaded once-a-year all-employee ‘security awareness training’ and similar compliance-driven approaches. If the only reason you want security policies and awareness is because they are demanded by your contracts, laws and regulations, then an annual sheep-dip session and one or more formal policies may be good enough from a compliance perspective ... but you are probably failing to address serious information risks to your organization, and certainly missing out on a raft of business benefits from a more holistic, modern approach to adult education.


Q: Do you maintain the policies?

A: Yes ... and no.

The policy set has evolved over many years. The overall structure is pretty stable, although from time to time we introduce new policies reflecting emerging security challenges (such as BYOD and IoT). Occasionally we retire those that are no longer relevant (e.g. security for modems with acoustic couplers - remember them?), or split and recombine policies in response to changes in the way information technologies are being used (e.g. cloud computing is more than just a new name for IT outsourcing: the risks and controls go beyond business relationships and contract terms).

We review and refresh the topical policies month-by-month in the course of writing awareness materials for NoticeBored. With more than 60 policies in the set, it would take about 5 years to update them a month at a time, except some months we update more than one policy and every so often we go right through the whole lot to make sure they remain consistent and relevant. The review cycle completes every 3 years or so in practice.

If you are not a NoticeBored subscriber and only buy the policies, we don’t provide policy updates. We figure you will customize and deploy policies through a policy management process that includes regular reviews and updates to the policies themselves and the associated security awareness collateral.  To tap in to a continuous stream of updates, improvements and new policies, however, please subscribe to NoticeBored.

Matthew Putvinski quote re importance of policies

HomePolicies > Infosec Policy FAQ >

Copyright © 2017 IsecT Ltd.