The role of policy is to codify guiding principles, shape behavior, provide guidance for decision makers, and serve as an implementation roadmap. An information security policy is a directive that defines how an organization is going to protect its information assets and information systems, ensure compliance with legal and regulatory requirements, and maintain an environment that supports the guiding principles.
The objective of an information security policy and corresponding program is to:
- Protect the organization, its employees, its customers, and also vendors and partners from harm resulting from intentional or accidental damage, misuse, or disclosure of information;
- Protect the integrity of the information; and
- Ensure the availability of information systems.
Successful information security policies establish what must be done and why it must be done, but not how to do it. Good policy has the following seven characteristics:
- Endorsed – The policy has the support of management.
- Relevant - The policy is applicable to the organization.
- Realistic – The policy makes sense.
- Attainable – The policy can be successfully implemented.
- Adaptable – The policy can accommodate change.
- Enforceable – The policy is statutory.
- Inclusive – The policy scope includes all relevant parties.
Taken together, the characteristics can be thought of as a policy pie, with each slice being equally important.
We have all heard the saying “Actions speak louder than words.” In order for an information security policy to be successful, leadership must not only believe in the policy, they must also act accordingly by demonstrating an active commitment to the policy by serving as role models. This requires visible participation and action, ongoing communication and championing, investment, and prioritization.
Nothing will doom a policy quicker than having management ignore, or worse, disobey or circumvent it. Conversely, visible leadership and encouragement are two of the strongest motivators known to human kind.
Strategically, the information security policy must support the guiding principles and goals of the organization. Tactically, it must be relevant to those who must comply. Introducing a policy to a group of people who find nothing recognizable in relation to their everyday experience is a recipe for disaster.
Policy writing is a thoughtful process that must take into account the environment. If policies are not relevant, they will be ignored or worse, dismissed as unnecessary and management will be perceived as being out of touch.
Think back to your childhood to a time you were forced to follow a rule you did not think made any sense. The most famous defense most of us were given by our parents in response to our protest was “Because I said so!” We can remember how frustrated we became whenever we heard that statement, and how it seemed unjust. We may also remember our desire to deliberately disobey our parents – to rebel against this perceived tyranny. In very much the same way, policies will be rejected if they are not realistic. Policies must reflect the reality of the environment in which they will be implemented.
If you engage constituents in policy development, acknowledge challenges, provide appropriate training, and consistently enforce policies, employees will be more likely to accept and follow the policies.
Information security policies and procedures should only require what is possible. If we assume that the objective of a policy is to advance the organization’s guiding principles, one can also assume that a positive outcome is desired. A policy should never set up constituents for failure; rather, it should provide a clear path for success.
It is important to seek advice and input from key people in every job role in which the policies apply. If unattainable outcomes are expected, people will fail. This will have a profound effect on morale and will ultimately affect productivity. Know what is possible.
In order to thrive and grow, businesses must be open to changes in the market and willing to take measured risks. A static set-in-stone information security policy is detrimental to innovation. Innovators are hesitant to talk with security, compliance, or risk departments for fear that their ideas will immediately be discounted as contrary to policy or regulatory requirement. “Going around” security is understood as the way to get things done. The unfortunate result is the introduction of products or services that may put the organization at risk.
An adaptable information security policy recognizes that information security is not a static, point-in-time endeavor, but rather an ongoing process designed to support the organizational mission. The information security program should be designed in such a way that participants are encourage to challenge conventional wisdom, reassess the current policy requirements, and explore new options without losing sight of the fundamental objective. Organizations that are committed to secure products and services often discover it to be a sales enabler and competitive differentiator.
Enforceable means that administrative, physical, or technical controls can be put in place to support the policy, that compliance can be measured and, if necessary, appropriate sanctions applied.
If a rule is broken and there is no consequence, then the rule is in effect meaningless. However, there must be a fair way to determine if a policy is violated, which includes evaluating the organization support of the policy. Sanctions should be clearly defined and commensurate with the associated risk. A clear and consistent process should be in place so that all similar violations are treated in the same manner.
It is important to include external parties in our policy thought process. It used to be that organizations only had to be concerned about information and systems housed within their walls. That is no longer the case. Data (and the systems that store, transmit, and process it) are now widely and globally distributed. Organizations that choose to put information in or use systems in “the cloud” may face the additional challenge of having to assess and evaluate vendor controls across distrusted systems in multiple locations. The reach of the Internet has facilitated worldwide commerce, which means that policies may have to consider an international audience of customers, business partners, and employees. The trend toward outsourcing and subcontracting requires that policies be designed in such a way to incorporate third parties. Information security policies must also consider external threats such as unauthorized access, vulnerability exploits, intellectual property theft, denial of service attacks, and hacktivism done in the name of cybercrime, terrorism, and warfare.
An information security policy must take into account organization objectives; international law; the cultural norms of its employees, business partners, suppliers, and customers; environmental impacts and global cyber threats. The hallmark of a great information security policy is that it positively affects the organization, its shareholders, employees, and customers, as well as the global community.
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.