There are many organisations that don’t have a formal, structured policy framework in place. From a best practice perspective, a formal, structured approach to policy development, implementation and management is required. Unstructured, unilateral and unspecific policies have generally proved ineffective as mechanisms for managing activities (like information security) and reducing organisational risk. A structured approach improves awareness and compliance because targeted audiences only need to reference the document that is applicable to them and not lengthy detailed documents.
Clients often ask us to update or review a policy and the first question we ask is do you have a policy framework. We follow a specific policy framework we have developed based on ISO/IEC 27001 and ISO/IEC 27002 (the South African Standards), best practices, generally accepted security principles, our own expertise and experience in the area of information security, information management, law and risk management.
You need a structured policy framework
There is no information security policy standard and no general consensus as to what policies or how many should be in place, nor is there general consensus on policy design or content. Some organisations have a single generic document which combines policy, guidelines and standards (the combination approach), whilst others have multiple policies, guidelines and standards documents.
We advocate an approach which clearly differentiates between issue-specific, operational policies, standards and procedures, each of which should be set forth in separate documents. The need to clearly differentiate between them is emphasised by the ISO 9000 Quality Standards for the preparation of internal documentation. For example, these ISO standards expressly state that policies must be separate and distinct from procedures. The South African Standard leaves it up to the individual organisations concerned to identify various issue-specific, operational policies that are related to the topic of interest.
Policies that are successfully implemented:
- follow a document hierarchy;
- take into account the organisation’s own identified risks and business needs;
- put in place a set of information security measures to demonstrate that the organisation exercised due care and was not negligent;
- are compatible with the organisation’s culture and are thus more likely to be accepted and supported;
- are aimed at different audiences; and
- are kept up to date.
Typically, such a framework would include a document hierarchy. The following types compromise the document hierarchy:
- Charter: (or mission statement) a concise document positioned at the top of the hierarchy that forms the capstone of the policies and presents the organisation’s philosophy of information security and establishes a management mandate for and commitment to implementing that philosophy;
- Policies: There should be issue-specific, operational policies that that apply to specific issues (see the types of IT policies) and domains (for example applications, business units and regions) that must be complied with by all persons accessing these domains and to whom the issues apply;
- Standards: these specify mandatory, uniform uses of specific technologies, configurations and procedures;
- Procedures: provide detailed steps (sometimes in the form of a checklist) to be followed to achieve a particular recurring task (for example assigning appropriate privileges, running daily backups and updating firewall rules);
- Guidelines: provide additional (optional) advice and support for policies, standards and procedures, as well as general guidance on issues such as how to secure systems, what to do in particular circumstances etc.
Audience-driven approach to a policy framework
Generally, policies are directed at several significantly different audiences because each audience has distinctly different needs.
For example, with end users, the focus is generally on acceptable use. But who is an end user? Is it permanent employees only or does it include people on fixed-term contracts? What about suppliers?
With technical staff the focus is in much more detail, such as how to carry out a monitoring of a user email inbox or how to respond to a security incident or privacy breach. Separate documents should therefore be addressed to separate audiences so that the relevant audience is provided with only the information that is relevant to them. People need to only read those policies that directly apply to their own job.
Some policies are also directed at customers or management.
Characteristics of good policies
Generally, issue-specific policies are easy to read, easy to rely on, easy to implement, easy to manage, easy to implement and easy to rely on in a court of law:
- Easy to read: In the fast-paced information economy in which we live, people are pressed for time and will generally only read things that are relevant to them. The policies should therefore be in plain language and focused on particular audiences (typically end-users, management and technical staff) addressing only those issues that are absolutely needed and that focus only on the essentials. Addressing a policy to multiple categories on readers makes it hard for the reader to find relevant information. For example, they might have to sift through a whole lot of rules before getting to the relevant rule relating to their email use.
- Easy to rely on: Where one has issue-specific policies, it is easier to accompany those policies with necessary guidelines or standards or procedures – something which is difficult to do with “bundled” policies as the issue specific guidelines, standards or procedures often come across in a “clumsy” manner as it is not clear which issue they pertain to (for example, email guidelines relating to for example retention of email records, purging of email, technical email restrictions would bear no relevance to Internet-specific guidelines).
- Easy to manage: Problems that arise tend to relate to issues and if those problems are recorded on an issue by issue basis, then it is easier to update the issue-specific policies when reviewed annually.
- Easy to implement: For purposes of education and awareness, it is easier to convey key messages as they relate to issues contained in the issue-specific policies. Furthermore, for purposes of assigning information Owners, Custodians and users, it is only possible to do so where such assignment takes place in relation to specific issues.
- Easy to rely on in a court of law: One of the essential guidelines in cases of dismissal for misconduct (in terms of Schedule 8 of the Code of Good Practice to the Labour Relations Act of 1995) for determining whether a dismissal or misconduct is unfair is “(a) whether or not the employee contravened a rule or standard regulating conduct … the rule was a valid or reasonable rule or standard … the employee was aware, or could reasonably be expected to have been aware, of the rule or standard … the rule or standard has been consistently applied by the employer“. It is not possible to demonstrate “validity“ or “reasonableness“ if the relevant “rule or standard” is found in a guideline (which is optional) rather than an issue specific policy (which is mandatory). More importantly, however, is the fact that an employee might be able to raise the defence in a disciplinary enquiry that there was in fact no “rule or standard” as (if it is contained in the guidelines) the rule is merely optional and does not have to be followed.