Policies are the means of execution for the overall cybersecurity strategy. Some discuss how to keep your desk clean of sensitive information and others discuss change management, so how can we uniform the process in which we write these policies and check if they are fitting or can be improved?
Cybersecurity policy should be detailed enough to describe what the cybersecurity manager expects from the IT staff and others in the organization while staying high-level enough to allow the subjects of these policies to perform their appropriate tasks as professionally and adequately possible.
Good cybersecurity policies reflect the company’s infrastructure, industry, culture and the application of cybersecurity to secure the company’s business processes and information assets.
Following this policy lifecycle ensures you’re taking the proper steps towards a set of policies which will be supported by management, easily adopted by employees while remaining sustainable, relevant and enforceable.
1. Business Environment
1.1. Consult Cybersecurity Strategy
The cybersecurity strategy was created in alignment with the business strategy and approved by senior management. It is both foundation and guiding light to all cybersecurity governance and as such every cybersecurity policy should be an extension of that strategy.
1.2. Consult Regulation and Standards
Since the organization is bound by law and industry demands to comply to certain regulations (such as GDPR and HIPPA) and standards (Such as ISO27001 and PCI-DSS). These regulations and standards are also a mandatory guideline to any cybersecurity policy to be written.
1.3. Consult Stakeholders
Stakeholders are the clients “benefiting” from the policy, the suppliers “inputting” to the policy, the implementors and other affected parties. As stated before, a good policy reflects the organizational processes and culture and these stakeholders are the best representatives of the processes and culture. Consulting stakeholders will get you the information you need to write good policies and will decrease resistance once the policy is to be implemented.
2. Write Policy
Once you are familiar with the organizational environment and governing forces, you can write your policy.
2.1. Clear and Concise
Keep the policy clear and concise so that the message gets across easily and produces the desired results.
2.2. Cover all Bases
Try and address all situations and possibilities concerning this policy and leave enough information and process infrastructure to deal with unforeseen events and circumstances.
2.3. Risk-Aware, Business-Aware
Be aware of cybersecurity risk and how your policy reduces it while minimizing the impact of the policy on business processes.
Write policies in a similar structure and cross-reference other policies to avoid conflict in definitions.
Have walk-though meetings with stakeholders and get their signed approval, once again emphasizing their support and cooperation and reducing pushback on policy enforcement.
Once stakeholders support the policy, have it approved by senior management for acknowledgement and support.
Once approved by stakeholders and management, distribute the policy through all available channels, communicate to and train employees and contractors on the policy, when it’s applicable and how to implement it.
A policy that is not enforced will never be fully implemented.
Check how employees are using the policy, what issues they have in using it, whether they need more guidance or clarification. As a last resort, have light sanctions or misconduct-reporting options. (you will now appreciate the cooperation and support gained by involving management and stakeholders in the process).
Periodically, or when a policy fails, critically revisit the policy, its reasoning and its adaptability to the organizational goals, culture and business environment. Be critical and proactive in assessing the effectiveness of the policy and the need to change it.