Information Risk and Security Policy FAQ
These answer frequently asked questions concerning our information risk and security policy materials. If you have other questions or
comments, do please let us know.
FAQ quick links
Q: We already have a bunch of security policies. What’s wrong with those?
A: You tell me! Does the fact that you are reading this FAQ mean you are not entirely happy with your existing policies? Or are you simply looking for
improvement ideas? Either way, see just whether any of the following concerns ring true to you:
‘Security policies’ are typically restricted to IT, cyber or technical security matters in reality, leaving substantial gaps, especially in the wider aspects of information risk and security such as human factors, fraud, privacy, intellectual property, business continuity, business relationships and industrial
espionage. In the absence of a reasonably comprehensive policy framework, your policy coverage is likely to have more holes than Swiss cheese.
For some obscure reason, corporate policies are often drafted in a stilted pseudo-legal style that makes them hard for ordinary people to
comprehend. Do we really need to be told there are “three (3) requirements” that “include, but are not limited to, the following ...”?
What’s wrong with “for example”, for example?
Instead of having to wade through pages and pages of mumbo-jumbo, or navigate a minefield of TLAs (Three Letter Acronyms) and obscure
technology terms, wouldn’t it be nice to be told, succinctly and clearly, why a given security policy exists i.e. the background/business context
succinctly outlining the information risks it addresses?
Add to that the general decline in standards of English grammar and spelling (despite the valiant efforts of non-native speakers), and soon we reach the point where policies verge on being unreadable. Is it any
wonder, then, that workers often don’t bother at all, or if they do their interpretations may be rather different to what was intended?
Writing readable, motivational and actionable policies of any sort is a particular skill that takes years of practice: frankly, it’s a job for an experienced technical author, not the office junior.
Policies that were drafted by various people at various times for various reasons, and may have been updated later by others, tend to drift apart as they
evolve, becoming disjointed. It is not uncommon to find bald contradictions, gross discrepancies or conflicts both within and without the policy suite (e.g.
differing interpretations of privacy laws and regulation), as well as outdated or missing references. That’s easy meat for the average IT auditor on a
hunting trip, and a source of confusion for those who genuinely want to understand and comply with the policies.
Security-related obligations or expectations are often scattered across the organization, partly on the corporate intranet (typically in several different
places at once, in various states of disarray and decay!) and others embedded in employment contracts, employee handbooks, union rulebooks, printed
on the back of staff/visitor passes and so on. Good luck keeping all that lot in check, coordinating and aligning the disparate expertise and objectives of
Information Security, HR, IT, Risk Management, Legal/Compliance and others!
Hint: even if a corporate style guide is both available and used, in practice policies often end up looking different and lacking coherence. We take pride in
the look and feel of our model policies, as well as the content.
Lack of awareness
Policies are passive, formal, rather boring documents, in other words dust magnets. They don’t exactly fly off the shelves like best sellers. They take some
effort to find, read and understand. Unless they are accompanied by suitable standards, procedures, guidelines and other awareness materials, and
supported by structured training, awareness and compliance activities to promote and bring them to life, employees can legitimately claim that they
didn’t even know of their existence - which indeed they often do when facing disciplinary action.
If workers can also demonstrate readability issues, contradictions and ambiguities, their case is strengthened - further still if the policies are
inconsistently applied and enforced. You’re building their case for them!
Hint: management must walk-the-talk. “Do as I say, not as I do” is not a defensible position in an employment tribunal or court case. If managers bend or
flagrantly disregard the information risk and security rules when it suits them, they are inadvertently sending out a powerful message to workers in
general that compliance is optional, and policies are worthless, which may be literally true.
Lack of accountability
If it is unclear who owns the policies and to whom they apply, noncompliance is the almost inevitable outcome. This, in turn, makes it risky for the
organization to discipline, sack or prosecute people for noncompliance, even if the awareness, compliance and enforcement mechanisms are in place. Do
your policies have specific owners and explicit responsibilities, including their promotion through awareness and training? Are people - including
managers - actually held to account for compliance failures and incidents?
Hint: if you don’t understand the distinction between accountability and responsibility, or compliance and enforcement, or exceptions and exemptions, you are once more missing a trick.
Lack of compliance
Policy compliance and enforcement activities tend to be minimalist, often little more than sporadic reviews
and the occasional ticking-off. Circulating a curt reminder to staff shortly before the auditors arrive, or shortly after a security incident, is not uncommon.
Policies that are simply not enforced for some reason are merely worthless, whereas those that are literally unenforceable (including those where strict compliance
would be physically impossible or illegal) can be a liability: management believes they have the information risks covered while in reality they do not. Badly-written, disjointed and inconsistent security
policies are literally worse than useless.
Hint: think about reinforcement as well as enforcement. Aside from not being sanctioned, is there any obvious benefit for workers in fulfilling or even exceeding their obligations? What’s in it for them?
Lack of process
Many of these issues can be traced back to inconsistencies in the way that security policies are generated, mandated, interpreted, applied and enforced by management. Documented policy management processes
are rare in practice, implying no standard lifecycle for policies. Policy exceptions and exemptions are handled inconsistently. Simple housekeeping activities such as version control and scheduled periodic policy reviews are beyond many
organizations, while policies generally lag well behind emerging issues such as the information risk and security implications of cloud computing, BYOD and IoT.
When you look at it dispassionately, not only is that a litany of issues but the causes are often deeply entrenched in dysfunctional organizational
practices and poor corporate governance. Some unfortunate organizations would benefit from more or less scrapping their home-grown policies and
starting afresh! A few have a firmer grip on the accountability and process issues but may be looking for inspiration in other areas, perhaps information security controls derived from the ISO27k standards to support their ISO/IEC 27001 Information Security Management System. Some fall in the middle
ground with a mixture of policy materials that can simply be spruced-up with supplemental policies to plug the gaps ... but it’s easy to fall back into the
trap by not completing the job to a consistent standard across the entire portfolio of policies. A surprising minority have no information security policies
to speak of, begging big questions about their information risk, security, privacy, governance and compliance arrangements.
Q: Our security policies must reflect our particular information risks and security requirements, so what use are generic policies?
A: Like the international standards on which they are based, the policies we supply are indeed generic and therefore need to be tailored to some extent
for your organization. The policies concern typical information risks and promote commonplace information security controls, drawing from a wide range of security standards and decades of experience. The generic policies provide a sound starting point. It is up to you to review and where necessary customize and adapt them to fit your unique context.
You may already have certain information risk and security policies or standards that need to be incorporated, for instance length and complexity
parameters for passwords, although we hope you will consider the value of the suggested parameters and policy statements (you never know: we might
just have come up with a better way of dealing with things or putting them across). Management may have determined that, for example, business
continuity planning is out of scope of your information security function and hence the information security policies, perhaps because there is a separate
department in charge of contingency planning, so you can trim out those policy statements accordingly. If, for instance, your organization has chosen to
stick with Windows 7 rather than adopting Windows 10 or some other operating system, you should carefully check any policy statements concerning security patching and support.
Unfortunately, we can’t do that for you! However, customizing a set of model policies is much easier, quicker and cheaper than writing them from scratch.
Starting with a suite of materials that were all written by the same person and are based on standards makes them more consistent and effective than compiling policies from a variety of sources.
We have invested literally hundreds of man-hours in researching, writing and refining the templates. You need only spend some small change from your
budget to have your own professionally-written, coherent, comprehensive, high-quality and ISO27k-aligned policy set ready to go in next to no time.
Q: We are about to launch a project to implement an Information Security Management System (ISMS) and are
weighing-up our options: should we do it all ourselves, engage a consultant, or start with your policy templates?
A: You are in a fortunate position if you have the skills and resources to do the ISO27k ISMS implementation entirely in-house! The ideal would be to find
a project manager with prior experience of designing, implementing and perhaps operating and managing an ISO27k ISMS. At the very least, we would
recommend putting some of your information security people through the Lead Implementer and/or Lead Auditor courses which are offered by several
trustworthy organizations. If neither option applies, then yes we would definitely advise finding a suitable consultant to mentor and support an in-house
ISMS project manager (usually the Information Security Manager) rather than simply take on a contract project manager to run the whole show. The point
is that the ISMS will continue indefinitely, so it's best if your people have been in the driving seat for both the design and implementation, albeit with expert guidance.
Information security policy and procedures development is a discrete part of ISMS implementation. As we see it, you essentially have five options:
Do the policy and procedures development entirely in-house, perhaps adapting and extending your existing materials in line with ISO/IEC
27001 and 27002. This is a good approach but relatively slow, and costly if you account for all the research and development and
proofreading time needed. Do you even have the skilled person or people available and willing to dedicate sufficient time to this?
Simply adopt a set of information security policies written by someone else - perhaps our generic policy set, or maybe pick from Charles
Cresson Wood's huge set of 1300 ‘policies’ (most of which are actually standards). This is also a decent option but is unlikely to deliver a set
of policies that exactly matches both your specific situation and the requirements of ISO27k. Your chances of finding useful security procedures this way are low - there is too much variation in security processes between organizations.
Accumulate a set of policies and procedures based on various sources such as examples in books and on the Web. The original materials
may be free or at least freely available (copyright compliance is itself an information security matter!) but you will need time to consolidate
them, make them all consistent, deal with the overlaps and differences and fill in the inevitable gaps. This may or may not be quicker and
cheaper than starting from scratch, depending on the quality and suitability of the materials you obtain. Either way, it is a lot of work. This is
probably the most common method in practice, despite being a major cause of serious inconsistencies - meaning not merely different styles,
formats and layouts but material discrepancies, conflicts and gaps in the policy content.
A hybrid approach
, taking a set of pre-written policies such as our policy set as a starting point but customizing/adapting them to suit your organization, and developing the supporting procedures etc. as needs be (perhaps using
NoticeBored as a source). The cost of licensing commercial products is offset by the savings in R&D time and money, and by the quality of the product. We are convinced this is the best option for most organizations ... but of course we are biased! It’s up to you to weigh up the pros and cons.
Employ a suitably qualified, experienced and competent consultant specifically to write precisely what you need. This is the most expensive
and time-consuming approach, especially given that the consultant needs to research your specific situation and requirements first (and if
they don’t even appreciate the need to do this, you have good reason to doubt their suitability). At the end of the assignment, provided you
have chosen your consultant wisely, you should end up with a very nice set of security policies and procedures ... that you then need to implement ... and maintain ...
Visit www.ISO27001security.com for guidance on implementing the ISO/IEC 27000-series (“ISO27k”) standards, including a free ISO27k Toolkit. If you
want to discuss your proposed approach to implementing the ISO/IEC 27000 series standards, or get some tips on policies, awareness and all that, just let us know and we’d be pleased to help (within reason! Up to one hour of telephone/email advice is free of charge for customers. If your needs are more
involved, talk to us about our consultancy services).
Q: As I understand it, an information security policy that will be circulated to all employees should be high-level,
understandable and concise. Do your topic-based information security policies fit the brief?
A: Yes, we believe so - although how you actually circulate and use them, and precisely what they say, is of course up to you.
The corporate information security policy template is specifically intended to serve as the high-level over-arching policy statement and would normally be
endorsed and mandated by senior management. As such it promotes general security principles and summarizes key controls based on those recommended in ISO/IEC 27001.
The supporting topic-based policies align directly with NoticeBored’s topical approach to information security awareness. We cover a different area every
month, for several reasons:
It keeps the awareness program fresh, and stops it going stale;
It lets us respond to emerging and current issues including information security incidents, breaches and news from the headlines;
We provide briefings, presentations and guidelines in addition to the policies, so although the polices themselves are quite short (typically just 3
or 4 pages), the supporting materials explain and expand on them;
Last but not least, the rolling monthly program gets away from the dreaded once-a-year all-employee ‘security awareness training’ and similar
compliance-driven approaches. If the only reason you want security policies and awareness is because they are demanded by your contracts,
laws and regulations, then an annual sheep-dip session and one or more formal policies may be good enough from a compliance perspective ...
but you are probably failing to recognize and address serious information risks to your organization, and certainly missing out on a raft of
business benefits from a more holistic, modern approach to adult education.
Q: Do you maintain the policies?
A: Yes ... and no.
The policy set has evolved over many years. The overall structure is pretty stable, although from time to time we introduce new policies reflecting
emerging security challenges (such as BYOD and IoT). Occasionally we retire those that are no longer relevant (e.g. security for modems with acoustic
couplers - remember them?), or split and recombine policies in response to changes in the way information technologies are being used (e.g. cloud
computing is more than just a new name for IT outsourcing: the risks and controls go beyond business relationships and contract terms).
We review and refresh the topical policies month-by-month in the course of writing awareness materials for the NoticeBored security awareness service.
With more than 60 policies in the set, it would take about 5 years to update them a month at a time, except some months we update more than one policy
and every so often we go right through the whole lot to make sure they remain consistent and relevant. The review cycle completes every 3 years or so in practice.
If you are not a NoticeBored subscriber and only buy the policies, we don’t provide policy updates. We figure you will customize and deploy policies through a policy management process
that includes regular reviews and updates to the policies themselves and the associated security awareness
collateral. To tap in to a continuous stream of updates, improvements and new policies, however, please subscribe to NoticeBored or contact us for a
special price to refresh all the policy templates.