how to write good policies
TRANSCRIPT
How to Write Good Policies Policy Elements to Consider for Your Organization August 30, 2013 CyberTears.Org Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A
© Copyright 2013 – Murray, Shawn P.
Note: Author maintains full ownership; however, this article can be freely used and distributed as long as the author is properly referenced.
Introduction One of the most inexpensive countermeasures we can deploy in our organization is an effective security policy. There are different thoughts regarding policies that can be debated; however, the focus of this article is to outline some basic elements which should be considered when developing policies in general.
Policies in general, are meant to articulate the organization’s expectations or express specific behaviors, achieve goals or identify actions to be taken given a specific scenario. Generally, when the organization believes something fits into the above criteria and is important enough to write down, it is presented in a document usually referred to as a policy. Effective policies can reduce the risk associated with employees damaging property, conducting their jobs safely and efficiently or harming the reputation of the organization overall.
A BIT ABOUT THE DIFFERENCE BETWEEN POLICIES, PROCEDURES, STANDARDS AND GUIDELINES
There are differences in how an organization uses various written tools to meet organizational objectives. Many use policies, procedures, standards and guidelines. There are other tools; however, these are the most used in a given environment. There are relationships between the tools as identified below.
Policies
Policies are normally high level organizational documents approved by executive management. Policies that are not approved at this level are challenged with enforceability. Policies are important for the organization’s success and should meet organizational goals that align with the mission or overall business strategy.
Procedures
Procedures are specific and detailed instructions or tasks that should be followed without deviation and allow an individual or group to meet a specific standard. Procedures compliance is mandatory for ensuring uniformity and accuracy and for controlling an expected outcome. They should be periodically reviewed for effectiveness.
Standards
Standards define mandatory requirements that should be followed by all. If we didn’t have standards, then we would have too many commonly used proprietary products that are made differently (think about electronics, automotive parts and
2
engineering principles). Well known standards authorities include the International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) and National Institute of Standards and Technology (NIST).
Guidelines
Guidelines are developed as guidance for implementing standards. Think of them as general instructions that should be followed to meet the mandatory requirements for the standard. In the absence of a standard, guidelines also can provide advice to one making decisions to meet organizational objectives. This would reduce the risk of not following some type of process to meet the objective. Guidelines are not normally mandatory.
Elements of a good policy The following elements should be considered when developing your policy:
Cover page, Title page - The cover page or title page should state the policy name and current version of the policy. It should include a control mechanism like a policy number that is more easily tracked for administrative purposes. The name of the company and executive branch within the organization should be identified on the cover page as well. Example: CyberTears.org, Office of the Chief Information Officer, Cyber Security Division
Document control page – The document control page has various names “Document History”, “Document Change Page”, etc. The purpose of the document control page is to track the historical record of the policy. It is properly titled and a table inserted with basic revision history information like version number, release or approval date, summary of changes, section number or paragraph numbers (that may have been updated) and a user identifier that indicates who made the change(s). The first entry on the document control page should be the initial release. If a periodic review is required, it would be identified here as well even if no changes were made to the document.
Plain and Simple – Most policies should be written in plain and simple language that is easy to read and understand. Avoid excessive use of acronyms and spell them out the first time if you have to use them. Technical or legal policies can be verbose and difficult to read. Have an editor review your policies to ensure they are appropriate for the intended audience.
Executive buy in – It was mentioned earlier in this article that policies should be approved by senior management. This is crucial for the policy to maintain effectiveness. When a policy is not supported by management then it is difficult to enforce and becomes
3
ineffective or irrelevant to the success of the company. There should be a clear message to the organization that upper management approved and fully supports the policies that are developed. This should be articulated in the policy as well.
Policies should be reviewed periodically to ensure they still align with the organization’s overall mission and business strategy. If a policy no longer aligns to ensure an organizations success, the policy should be updated or removed. Some policies should be reviewed for currency by subject matter experts to ensure they comply with federal or state laws, examples of these types of policies include human resources policies, environmental and safety policies and policies that pertain to work done with other companies outside the organization.
Policies should be enforceable – Because policies are written to articulate specific expectations, they should be enforceable. Enforceability is achieved when the following policy characteristics are known by the policy stakeholders:
• Intended audience • Policy applicability • Policy details • An accountability statement • Acknowledgement
Identify your audience and applicability– Not all policies are written for all of the personnel in the company. Identifying your audience is key to ensuring good focus on the policy objectives. For instance, an acceptable use policy for the use of computing resources would be applicable to all employees in the organization; however, a policy that states how network and computer configurations are to be made may apply only to the network and systems administrators as they relate to a specific configuration control process.
Policy details – This is where the organization outlines the tasks and articulates expectations regarding the policy. The policy introduction and purpose should be stated and then the details of how objectives are to be achieved. Additional details may include identifying training and resource requirements and references to applicable procedures standards or guidelines necessary for personnel to achieve policy objectives.
Acknowledgement and accountability– Policies should be acknowledged by the personnel that they are written for. The most effective way to get an employee to recognize and comply with a policy is to have them sign that they acknowledge it. This can be accomplished the old fashioned pen-and-ink method or electronically. Accountability allows the organization to enforce compliance in the event there is a deviation from the policy. As previously discussed, an accountability statement should articulate noncompliance ramifications. This way the employees understand what to expect if they
4
don’t meet requirements. A common example of an accountability statement would be: “Deviation from this policy may result in administrative and/or disciplinary action, up to and including termination”.
Other things to consider
Policy management – For large organizations, there are scalable software solutions that allow for the effective management of the many various policies that may be required for the organization to conduct business. Complicated business unit relationships within a company may require different management techniques that accommodate international laws and laws of other countries where business is conducted.
Some organizations have a single person or small office of personnel that manage the organization’s policies. These personnel are not necessarily the experts regarding the policies; however, they coordinate with the policy owners and internal review authorities to ensure policy currency, applicability and compliancy. They would also serve as the distribution authority and maintain policy libraries for the organization as well.
For small to medium sized companies, it is sometimes more practical to hire another firm to write, update or review policies. When a company does not have the expertise or time to produce effective policies, outsourcing these services should be considered.
Deconfliction – Ensure that the development of one policy does not conflict with another policy. Sometime this happens with unique policies that cross over stakeholder groups and affect other policies. There should be a deconfliction process when this happens.
Don’t overdo it – We don’t write polices and implement them in our organization just because we enjoy them. You should only develop and write policies when they are needed. Having policies for everything you do can place too many constraints on your personnel and increase the possibility of creating conflicting policies. Remember you have other tools discussed earlier in this article to address key areas that need to be managed effectively.
Conclusion
This article discussed how to write good policies and described good policy elements that an organization would want to consider so that it can operate effectively and efficiently. Good policies articulate specific organizational objectives that align with the overall business strategy. Policies let employees know what expectations are and reduce risk to the organization overall. Policies should be updated periodically, enforceable and include support from executive management or they lose effectiveness.
5