Why Information Security Policies, Standards and Procedures Should Be Top Priority
- Written by: Matthew McGill
Information security policies, standards and procedures typically fall to the bottom of many companies’ to-do lists. Nobody gets excited about the tedious process of creating these kinds of documents. But it's worth making the effort to create and maintain these key documents. Investing some time now will make your organization far more secure and efficient in the months and years ahead.
What They Are
First, let’s break down what goes into each of these governance documents.
Information Policies – The “What”
Policies are the high-level statements that communicate your objectives. Think about the information security policies as the vision statement that clearly states your values in this area and what you intend to put into action. Your organizational culture will drive how you set policies, as they reflect how you view risk, what role you expect end users to play in security and more.
Information Standards – The “How Often/Much”
Standards go more in-depth and elaborate on the policies. Standards will specify details such as:
- Who will implement the standards
- Specific responsibilities of the associated departments
- Groups affected by the standard
- Who owns the individual standard
Standards lay out specifics of how each control area fits into the overall information security program. For example, if a control framework you’re following requires specific steps around firewall settings or encryption measures, your standards will explain what you’re doing about those things. When you're trying to satisfy most compliance requirements and frameworks, you’ll hear a lot about your “policies.” But standards are typically what they're looking for.
Information Procedures – The “How”
Procedures are the step-by-step instructions for fulfilling the policies and standards. For every control area your policy covers, you should have corresponding procedures explaining how the organization will carry out that policy. Procedures turn policies and standards into tangible action steps. In procedures, the business should call out specific employees and technologies that carry out each procedure.
5 Situations Where Your Work on Policies/Standards/Procedures Pays Off
- You experience a breach – Your Incident Response plan and Business Continuity/Disaster Recovery plans will help limit the damage and restore your operations as quickly as possible.
- You have to discipline/dismiss an employee for inappropriate use of technology – Your Acceptable Use Policy, which you had each employee sign on their first day, lets you enforce the rules.
- Vendors demand evidence of your security program – You can share a wide variety of documents to show that you take security seriously at all levels of the organization.
- A user accidentally gives their credentials to a hacker – A solid Access Authorization/Identity Access Management policy limits each user’s data access, limiting how much a hacker can pivot within the system.
- An entry-level employee makes a bad choice on a firewall setting – Your Change Management policy builds in reviews to catch unintended consequences in time.
Why You Need Them
Now let’s explore why these three types of documents are important for your business.
Meet Compliance Requirements
It’s just good business to have solid policies/standards/procedures. But it usually takes outside pressure to make most organizations get serious about their policies and standards. In today’s tougher cyber insurance marketplace, for example, you may not even be able to renew a policy without having basic policies/standards in place. At minimum, creating these documents helps you get much better rates on insurance. Many large companies are also taking a harder look at the cybersecurity practices of all their vendors. So your company’s contracts may soon rely on you creating the policies/standards/procedures that prove you have a mature security posture.
Establish Continuity
It's crucial that you show your employees exactly what is expected of them. A murky vision inevitably raises questions. Creating a universal guide for everyone will unify and direct the team in times of crisis or confusion.
Allow Enforcement
A written governance program gives leaders a way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy-to-find policies, standards and procedures, you can hold everyone accountable for abiding by them. Your employee onboarding process should build cybersecurity awareness into every employee’s first day on the job. One of their first tasks should be reading applicable policies and signing a statement that they have read the documents and agree to comply with them.
Create a Security Culture
Executives should be involved in creating the policies, standards and procedures and should play a role in socializing them throughout the organization. If an executive is involved in the creation of these documents, they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the executives.
How to Get Started
1. Identify Your Needs
Your organizational size and industry niche will mandate some of the governance documents you need. A large business with numerous employees typically requires a more detailed plan than a small organization.
2. Build an Action Plan
You need to address how to get the governance program in place. Talk with your IT operations team to make sure they’re ready to follow the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key.
3. Maintain and Update
Understand that once you have your policies, standards and procedures in place, you still have work to do. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to review all these important documents annually to proactively evaluate the security controls related to the confidentiality, integrity and availability of your business’ sensitive information.
4. Test
Several policies and procedures require regular testing to confirm that everyone understands them, that they’re still current and that somebody actually knows how to do each step in the procedures. Incident response plans, in particular, require regular testing via tabletop exercises and other evaluations. During testing, many organizations realize that “restore data from backup,” for example, isn’t quite as straightforward as it sounds. That prompts them to update the plan to cover every detail in a way that makes them truly ready for quick deployment.
If you need help creating and maintaining policies, standards, and procedures, HBS can help. Contact us today.