Information Risk and Security Policy FAQ

These answer frequently asked questions concerning our information risk and security policy materials. If you have other questions or comments, do please let us know.


Policy FAQ quick links


Q: We already have a bunch of security policies. What’s wrong with those?

A: You tell me! Does the fact that you are reading this FAQ mean you are not entirely happy with your existing policies? Or are you simply looking for improvement ideas? Either way, see just whether any of the following concerns ring true to you:

Limited scope

‘Security policies’ are typically restricted to IT, cyber or technical security matters in reality, leaving substantial gaps, especially in the wider aspects of information risk and security such as human factors, fraud, privacy, intellectual property, business continuity, business relationships and industrial espionage. In the absence of a reasonably comprehensive policy framework, your policy coverage is likely to have more holes than Swiss cheese.

Poor quality

Good policy writingFor some obscure reason, corporate policies are often drafted in a stilted pseudo-legal style that makes them hard for ordinary people to comprehend. Do we really need to be told there are “three (3) requirements” that “include, but are not limited to, the following ...”? What’s wrong with “for example”, for example?

Instead of having to wade through pages and pages of mumbo-jumbo, or navigate a minefield of TLAs (Three Letter Acronyms) and obscure technology terms, wouldn’t it be nice to be find out why a given security policy exists i.e. the background/business context succinctly outlining the information risks it addresses?

Add to that the general decline in standards of English grammar and spelling (despite the valiant efforts of non-native speakers), and soon we reach the point where policies verge on being unreadable. Is it any wonder, then, that workers often don’t bother at all, or if they do their interpretations may be rather different to what was intended?

Writing readable, motivational and actionable policies of any sort is a particular skill that takes years of practice: frankly, it’s a job for an experienced technical author, a professional, not the office junior.

Inconsistencies

Policies that were drafted by various people at various times for various reasons, and may have been updated later by others, tend to drift apart as they evolve, becoming disjointed.  It is not uncommon to find bald contradictions, gross discrepancies or conflicts both within and without the policy suite (e.g. differing interpretations of privacy laws and regulations), as well as outdated or missing references. That’s easy meat for those who elect not to follow the rules, and a source of confusion for those who genuinely want to understand and comply with the policies.

Security-related obligations or expectations are often scattered across the organization, partly on the corporate intranet (typically in several different places at once, in various states of disarray and decay!) and others embedded in employment contracts, employee handbooks, union rulebooks, printed on the back of staff/visitor passes and so on. Good luck keeping all that lot in check, coordinating and aligning the disparate expertise and objectives of Information Security, HR, IT, Risk Management, Legal/Compliance, Audit and others! 

Hint: even if a corporate style guide is both available and used, in practice policies often end up looking different and lacking coherence. We take pride in the look and feel of our model policies, as well as the content.

Lack of awareness

Policies are passive, formal, rather boring documents, in other words dust magnets. They don’t exactly fly off the shelves like best sellers. They take some effort to find, read and understand. Unless they are accompanied by suitable standards, procedures, guidelines and other awareness materials, and supported by structured training, awareness and compliance activities to promote and bring them to life, employees can legitimately claim that they didn’t even know of their existence - which indeed they often do when facing disciplinary action.

If workers can also demonstrate readability issues, contradictions and ambiguities, their case is strengthened - further still if the policies are inconsistently applied and enforced.  You’re building their case for them!

Hint: management must walk-the-talk. “Do as I say, not as I do” is not a defensible position in an employment tribunal or court case. If managers bend or flagrantly disregard the information risk and security rules when it suits them, they are inadvertently sending out a powerful message to workers in general that compliance is optional, and policies are worthless, which may be literally true. 

Lack of accountability

If it is unclear who owns the policies and to whom they apply, noncompliance is the almost inevitable outcome. This, in turn, makes it risky for the organization to discipline, sack or prosecute people for noncompliance, even if the awareness, compliance and enforcement mechanisms are in place. Do your policies have specific owners and explicit responsibilities, including their promotion through awareness and training? Are people - including managers - actually held to account for compliance failures and incidents?

Hint: if you don’t understand the distinction between accountability and responsibility, or compliance and enforcement, or exceptions and exemptions, you are once more missing a trick.

Lack of compliance

Quote from Larry Ponemon of the Ponemon InstitutePolicy compliance and enforcement activities tend to be minimalist, often little more than sporadic reviews and the occasional ticking-off. Circulating a curt reminder to staff shortly before the auditors arrive, or shortly after a security incident, is not uncommon. Policies that are simply not enforced for some reason are merely worthless, whereas those that are literally unenforceable (including those where strict compliance would be physically impossible or illegal) can be a liability: management believes they have the information risks covered while in reality they do not. Badly-written, disjointed and inconsistent security policies are literally worse than useless.

Hint: think about reinforcement as well as enforcement. Aside from not being sanctioned, is there any obvious benefit for workers in fulfilling or even exceeding their obligations? What’s in it for them?

Lack of process

Many of these issues can be traced back to inconsistencies in the way that security policies are generated, mandated, interpreted, applied and enforced by management. Documented policy management processes are rare in practice, implying no standard lifecycle for policies. Policy exceptions and exemptions are handled inconsistently. Simple housekeeping activities such as version control and scheduled periodic policy reviews are beyond many organizations, while policies generally lag well behind emerging issues such as the information risk and security implications of cloud computing, BYOD and IoT.

 

When you look at it dispassionately, not only is that a litany of issues but the causes are often deeply entrenched in dysfunctional organizational practices and poor corporate governance. Some unfortunate organizations would benefit from more or less scrapping their home-grown policies and starting afresh! A few have a firmer grip on the accountability and process issues but may be looking for inspiration in other areas, perhaps information security controls derived from the ISO27k standards to support their ISO/IEC 27001 Information Security Management System. Some fall in the middle ground with a mixture of policy materials that can simply be spruced-up with supplemental policies to plug the gaps ... but it’s easy to fall back into the trap by not completing the job to a consistent standard across the entire portfolio of policies. A surprising minority have no information security policies to speak of, begging big questions about their information risk, security, privacy, governance and compliance arrangements.


Q: Our security policies must reflect our particular information risks and security requirements, so what use are generic policies?

A: Like the international standards on which they are based, the policies we supply are indeed generic and therefore need to be tailored to some extent for your organization. The policies concern typical information risks and promote commonplace information security controls, drawing from a wide range of security standards and decades of experience. The generic policies provide a sound starting point. It is up to you to review and where necessary customize and adapt them to fit your unique context.

You may already have certain information risk and security policies or standards that need to be incorporated, for instance length and complexity parameters for passwords, although we hope you will consider the value of the suggested parameters and policy statements (you never know: we might just have come up with a better way of dealing with things or putting them across). Management may have determined that, for example, business continuity planning is out of scope of your information security function and hence the information security policies, perhaps because there is a separate department in charge of contingency planning, so you can trim out those policy statements accordingly. If, for instance, your organization has chosen to stick with Windows 7 rather than adopting Windows 10 or some other operating system, you should carefully check any policy statements concerning security patching and support.

Unfortunately, we can’t do that for you! However, customizing a set of model policies is much easier, quicker and cheaper than writing them from scratch. Starting with a suite of materials that were all written by the same person and are based on standards makes them more consistent and effective than compiling policies from a variety of sources.

We have invested literally hundreds of man-hours in researching, writing and refining the templates. You need only spend some small change from your budget to have your own professionally-written, coherent, comprehensive, high-quality and ISO27k-aligned policy set ready to go in next to no time.


Q: We are about to launch a project to implement an Information Security Management System (ISMS) and are weighing-up our options: should we do it all ourselves, engage a consultant, or start with your policy templates?

A: You are in a fortunate position if you have the skills and resources to do the ISO27k ISMS implementation entirely in-house! The ideal would be to find a project manager with prior experience of designing, implementing and perhaps operating and managing an ISO27k ISMS. At the very least, we would recommend putting some of your information security people through the Lead Implementer and/or Lead Auditor courses. If neither option applies, then yes we would definitely advise finding a suitable consultant to mentor and support an in-house ISMS project manager (usually the Information Security Manager) rather than simply take on a contract project manager to run the whole show. The point is that the ISMS will continue indefinitely, so it's best if your people have been in the driving seat for both the design and implementation, albeit with expert guidance.

Information security policy and procedures development is a discrete part of ISMS implementation. As we see it, you essentially have five options:

  1. Do the policy and procedures development entirely in-house, perhaps adapting and extending your existing materials in line with ISO/IEC 27001 and 27002. This is a good approach but relatively slow, and costly if you account for all the research and development and proofreading time needed. Do you even have the skilled person or people available and willing to dedicate sufficient time to this?
  2. Simply adopt a set of information security policies written by someone else - this is also a decent option but is unlikely to deliver a set of policies that exactly matches both your specific situation and the requirements of ISO27k. Your chances of finding useful security procedures this way are low - there is too much variation in security processes between organizations.
  3. Accumulate a set of policies and procedures based on various sources such as examples in books and scattered across the Web. The original materials may be free or at least freely available (copyright compliance is itself an information security matter!) but you will need time to consolidate them, make them all consistent, deal with the overlaps and differences and fill in the inevitable gaps. This may or may not be quicker and cheaper than starting from scratch, depending on the quality and suitability of the materials you obtain. Either way, it is a lot of work. This is probably the most common method in practice, despite being a major cause of serious inconsistencies - meaning not merely different styles, formats and layouts but material discrepancies, conflicts and gaps in the policy content.
  4. A hybrid approach , taking a set of pre-written policies such as our policy set as a starting point but customizing/adapting them to suit your organization, and developing the supporting procedures etc. as needs be. The cost of licensing commercial products is offset by the savings in R&D time and money, and by the quality of the product. We are convinced this is the best option for most organizations ... but of course we are biased! It’s up to you to weigh up the pros and cons.
  5. Employ a suitably qualified, experienced and competent consultant specifically to write precisely what you need. This is the most expensive and time-consuming approach, especially given that the consultant needs to research your specific situation and requirements first (and if they don’t even appreciate the need to do this, you have good reason to doubt their suitability). At the end of the assignment, provided you have chosen your consultant wisely, you should end up with a very nice set of security policies and procedures ... that you then need to implement ... and maintain ...

Visit ISO27001security.com for guidance on implementing the ISO/IEC 27000-series (“ISO27k”) standards, including a free ISO27k Toolkit.  If you want to discuss your proposed approach to implementing the ISO/IEC 27000 series standards, or get some tips on policies, awareness and all that, just let us know and we’d be pleased to help (within reason! Up to one hour of telephone/email advice is free of charge for customers. If your needs are more involved, talk to us about our consultancy services).


Q: Do you maintain the policies?

A: Yes ... and no.

The policy set has evolved over many years. The overall structure is pretty stable, although from time to time we introduce new policies reflecting emerging security challenges (such as BYOD, cloud and IoT). Occasionally we retire those that are no longer relevant (e.g. security for modems with acoustic couplers - remember them?), or split and recombine policies in response to changes in the way information technologies are being used.

We don’t provide policy updates. We figure you will customize and deploy policies through a policy management process that includes regular reviews and updates to the policies themselves and the associated security awareness collateral. 

Matthew Putvinski quote re importance of policies

HomePolicies > Infosec Policy FAQ >

Copyright © 2019 IsecT Ltd.