Policies and Standards and Procedures – Oh My!

March 31, 2021

  • Policies are key to building a strong information security program and culture
  • Step up security awareness and training to support policy adoption
  • Avoid policy overload by following established frameworks

 


From a security engineering point of view, policies and procedures often feel like afterthoughts. Once the technical controls are in place to protect data and systems – e.g., a strong chain of firewalls, intrusion protection, anti-malware and secure authentication – the business value of having policies, standards and procedures documented is perceived as low. Why do system users need to understand and acknowledge their part in keeping data secure?

 

Personal experience has led me to respect policy’s role in a security program. A few years ago, I was working with a team of engineers in a highly secure data center. We configured firewalls and gateways to protect the network. The wall around the network was solid. But what about the people inside? We realized we had to manage their activity as well. To this end, we began to lock down Internet access and set up strict controls around Flash and JavaScript due to vulnerabilities associated with those web functions.

 

Perhaps we shouldn’t have been surprised to find we faced a user rebellion. Websites that the training division used stopped functioning due to the restrictions on Flash. The Marketing team was unable to get materials to their creative partners because we restricted uploads to the cloud. More complaints rolled in. Underlying the complaints was a valid question: What policy required the restrictions on Internet activity and on whose authority was this put in place?

 

 

When Technology and Culture Don’t Fit

Sometimes secure technology gets ahead of policy. Users are understandably confused and annoyed when they find something they could do yesterday – like transfer a file to a business partner – is no longer possible. Smart people will find ways around security gates, whether through cloud uploads, data transferred via unencrypted USB drives or the use of reverse proxies. They may not realize they’re exposing the organization to increased risk. IT security tools alone are often not enough to change behavior.

 

Good IT policy is like a blanket: It should securely cover all the corners and provide protection and assurance – not just a feeling of comfort. But sometimes it gets pulled over to one side, leaving another side exposed (competing priorities, lack of resources, short term needs, etc.). And sometimes people intentionally stick their legs out from underneath to escape its purpose (rogue staff, noncompliance, too heavy). And finally, sometimes it needs to be washed, mended or replaced to become purposeful again (review, revision, adaptation to change, ensuring relevance, closing holes.)

 

Organizations need policies for acceptable use of technology, as well as standards for data protection. The policies should explicitly state why the security measures are in place: how do they protect sensitive information and support the organization’s mission?

 

Policies come from the top – from the CIO, CISO, legal counsel or other executive responsible for security. The intent of the policy is to manage risk to a level that is acceptable, as determined by the C-Suite. The security team is not dictating what should happen, but executives are. In addition, every policy governance structure should have an exception process where businesses can spend the money to either provide compensating controls at their own expense or justify their position to the executives on why their business needs an exception.

 

Executive support is key to creating a culture of security across the organization. Training and awareness programs help spread the word and spark change. When company employees agree with security rationale, they follow the guidelines. Even if there are still those who stretch the rules, the core culture of protecting and safeguarding information will be in place.

 

 

Unconventional Training and Awareness

When I mention training and awareness, you may think of an Internet video or PowerPoint presentation. I’m thinking of the time when a joint Legal and Information Security team from went to the company cafeteria to hand out cards with the new information classification system. This was part of a data labeling and data loss prevention rollout. The colorful cards clipped onto employee badges and had quick tips for identifying and protecting data. Each card was handed out along with a snack or dessert. It was the first time I saw people lining up eagerly for security training.

 

Gamification is also an encouraging development in security training. To complete ethics training, some companies have employees play a game where the user is placed in challenging situations, such as being asked to send a bribe to a local official to get building permits. If the user agrees – oops! He/she just lost a level. Security awareness can also use games and scenarios to make learning interesting and memorable.

 

 

Just Enough Policy

While organizations need policies and standards, too many of these can become a burden and over-complicate business processes. Prioritize the essential policies and standards by identifying the regulatory needs of the organization. Ensure that, at a minimum, policies address those requirements.

 

Sending each employee a 100-page acceptable use policy to review is unlikely to garner a lot of positive feedback. Policies themselves should be quite short – ideally just a page or two. Standards can be longer, as they flesh out details of the requirements and implementation. Procedures are often technical and can be as long as needed to ensure that configuration and settings are correctly applied to meet policy and standards.

 

Table 1: Policies, Procedures, Standards, and Guidelines

 

  Definition Characteristics Example
Policies Policies are high-level statements that set the tone and temperament of management’s direction around logical, physical and managerial practices. Policies are generally not technology-specific or vendor-specific; and do not change frequently over time.

  • Mandatory
  • High-level statements and obligations
  • Deviation is discouraged
  • Vendor-independent and product-independent
  • Modified infrequently (years)
Password Policy

All passwords used to access information assets must conform to IT security standards relating to composition, length, expiration and confidentiality.
Standards Standards provide detailed and mandatory requirements for personnel in protecting organizational information and carrying out their job duties. Any deviation from a standard must be approved by management and documented.

  • Mandatory
  • Detailed statements
  • May include vendor and product names
  • Modified more frequently than a policies document
Password Standards (all platforms)

  • All passwords must have a minimum of eight characters and two complex characters
  • All passwords must be changed within 90 days
Procedures Procedures set the path for personnel in performing their job responsibilities around a specific activity. Procedures are the detailed step-by-step activities and tasks to follow. Procedures also provide prescriptive guidance on steps to take in order to comply with security policies, standards, and guidelines.

  • Usually mandatory, with discretionary elements
  • Deviation in specific circumstances allowed
  • Very detailed
  • Modified semi-frequently
Enterprise Change Procedure

All enterprise changes must be submitted to the Change Control Committee for change analysis. Upon receiving the change request, the committee will evaluate complexity and impact. Once approved, an owner will be assigned to oversee development, testing, and implementation of the change.
Guidelines Guidelines provide recommended but not mandatory guidance for personnel in protecting company information and carrying out job responsibilities. Deviations from guidelines do not require management approval.

  • Discretionary
  • Deviation acceptable if it does not conflict with intent or policy
  • Detailed statements
  • May include vendor and product names
  • Modified more often than a policy document
Intranet Site Creation

Use this guideline to your advantage by adhering to the following recommendations:

  • Be precise and punchy – people do not read web pages in the same manner as they would read a printed brochure. Facts need to be clear and unambiguous.

 

 

Some organizations have too many policies and need to consolidate or reduce them. When a policy or standard is reviewed to determine whether to keep or retire it, ask:

 

  • Is this document integral to maintaining secure and compliant operations?
  • Is this document required for regulatory compliance or certification audit?
  • Does this document provide critical information for employees on appropriate usage or actions?
  • What are the ramifications of not having policy that addresses this area?

 

Once you have a structured policy library in place, you have taken steps to satisfy the requirements of many industry and government regulations, including Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and the Cybersecurity Maturity Model Certification (CMMC).

 

 

Frameworks and Templates

Policies and procedures should be based on established frameworks and the organization’s role in government, critical infrastructure or industry will guide framework adoption. Examples of frameworks include the NIST Cybersecurity Framework (CSF), ISO/IEC programs, Federal Financial Institutions Examination Council (FFIEC) standards and PCI SSC standards.

 

To begin, identify the current policies and standards in use by your organization. An initial exercise may include cross-referencing these documents to the selected control framework or standard. A gap assessment will detect areas that are not sufficiently addressed in existing policies, standards and procedures. Out of this exercise will emerge a list of key policies and standards that need to be developed or updated.

 

The next step is to set up a template to use consistently for policies and standards. Typically, the template for standards will include sections shown here:

 

Table 2: Template Example

 

Section Description
Standard Statement The standard’s intent, when the standard applies and any mandated actions or constraints
Scope Systems, sites and personnel affected by the standard
Definitions Terms specific to the standard
Responsibilities Who is responsible for implementing standard and procedures?
Compliance repercussions for violating the standard
Related Information Information Related policies, websites and documents that provide supplemental information to the standard
Revision History Brief description of any revisions to the standard

 

Documents may be developed internally or with the help of a consultant and experience with framework requirements is often helpful. A consultant familiar with PCI or HIPAA can help your organization write policies and standards that meet those requirements.

 

So consider the humble “P&P” – policies and procedures. Not as exciting as a new firewall, but still an important part of a security program. By keeping your organization’s policies current and relevant, you provide essential direction and practical guidance to keep data secure and protected.

 

Peer review and contributor: Matthew D. Lammers – Manager, IT Risk Transformation & Advisory CISO

Matthew Lammers
Matthew D. Lammers – IT Risk Transformation & Advisory CISO | Optiv
Matt Lammers has 20 years’ experience in both consulting and corporate enterprise environments. His experience ranges from SMBs and the public sector to Fortune 500 corporations in a variety of verticals and industries.

Prior to joining Optiv, Lammers served as CISO and HIPAA Security Officer at a large public healthcare organization as well as CISO at a renowned Australian university. He previously spent nearly 10 years at IBM and several years in the Big 4 at both Deloitte and EY. Prior to joining Optiv, Lammers was Global Head of IS Risk Management at ABB in Zurich.

Lammers earned a bachelor’s degree from The Ohio State University and has been a CISSP in good standing since 2003. Matt is a prior PCI-QSA and HITRUST CCSFP and has previously held US Government security clearances.