Honey has been used for human consumption for almost nine thousand years. Its sweet flavor brings life to thousands of dishes around the world.
We typically only appreciate the finished product, as that’s what we use in our culinary adventures. But, behind this delicious nectar is an intricate and calculated process that requires a ton of coordination, structure, and hard work.
In this way, honey is a lot like information security programs.
We often take for granted the protections that are put in place for us by the companies we work with, work for, buy from, etc. But behind solid data protection is a ton of coordination, structure, and hard work.
At the core of the hive is the honeycomb—an intricate and foundational structure built by worker bees that holds the whole operation together, providing protection and nutrients to help the hive grow and produce its precious substance.
Much like the hive, security programs rely on foundational building blocks that allow the rest of the program and its workers to succeed.
These foundational building blocks are usually in the form of policies, standards, procedures, guidelines, and controls.
Despite the importance of formalized policies to the success of security programs, many organizations fail to adopt a full set of policies. But we’ve seen instances of companies making drastic improvements to their programs with this adoption.
So, here are some roadblocks companies typically run into when creating and implementing policies, advice for handling those roadblocks, and an example of an organization that successfully implemented a full policy set—and the impact it has had.
To successfully implement policies into our security programs, we need to understand what policies are.
We define policies as:
Formal statements produced and supported by senior management.
Policies are formal statements produced and supported by senior management.
They can be organization-wide, issue-specific, or system-specific. Your organization’s policies should reflect your objectives for your information security program—protecting information, risk management, and infrastructure security. Your policies should be like a building foundation; built to last and resistant to change or erosion.
• Driven by business objectives and convey the amount of risk senior management is willing to accept.Chad Spoden in Security Policies, Standards, Procedures, and Guidelines
• Easily accessible and understood by the intended reader
• Created with the intent to be in place for several years and regularly reviewed with approved changes made as needed.
Data Security Policy Examples
Because policies are driven by your information security program objectives and can vary in their specificity (or target), the types of policies an organization may implement is vast.
But, some of the more pertinent ones (in order of importance) to most businesses are:
- Corporate Information Security Policy
- Asset Management Policy
- Identity and Access Management Policy
- Acceptable Use Policy
- Vulnerability Management Policy
- Incident Management Policy
- Security Training and Awareness Policy
Knowing which policies to implement is only a small portion of the battle. Many organizations face challenges implementing these (let alone a full set) even knowing their importance.
Data Security Policy Roadblocks
We know policies guide the behavior of employees. We know they help adhere to the objectives set forth by the business and the security program. We know they help us protect data, businesses, and people. So why is it still so uncommon for companies to have what we’d consider a full set of policies?
IT and Business Leaders Do Not Understand Their Value
Documentation in general is lacking in most IT environments.
The value of documenting policy and repeatable tasks (procedures) is not often appreciated until there is turnover or a breach—when there is a wake-up call.
Both policy and procedures assist in bringing on new staff by defining the “why” and the “how.”
People Hate Writing Them
It sounds silly, but a legitimate reason why a lot of organizations fail to have considerable coverage with their policies is because people simply dislike writing them.
They Are Overthought
Because policies are to be read, signed off on, and used by a variety of staff (many of them not IT or security), you don’t want a data security policy so in the weeds your average employee can’t comprehend it.
Leadership Doesn’t Prioritize Them
FRSecure firmly believes that information security is a business concern, not an IT one. The information your company stores and processes affects every department across the organization. And, it requires staffing and monetary resources to make a security practice effective. For this reason, the information security initiatives enacted by your company should be ones that align with the business’s goals and objectives.
This means business leaders (not IT leaders) should be the ones to drive the initiatives. Your business leaders prioritizing security initiatives is really the only way they truly get off the ground in a meaningful way.
Unfortunately, this is less common than we’d like to see, and policies are subjected to this as well.
Without prioritization from executive leadership on policies, two things happen:
- They never get adopted once they’re completed
- They never get approved in the first place
Jumping the Data Security Policy Hurdles
Unless you are completely pigeon-holed by a leadership team that wants nothing to do with any information security efforts (in which case, run), there are certainly some things you can do to ensure your policies are created and adopted effectively.
They aren’t always easy to come by, but policy templates take much of the monotony and struggle out of writing.
Organizations that advise security measures, provide HR support, provide legal support, etc. may have templates already in place that can help you get off on the right foot. Regulatory bodies may also have these templates available for you.
The benefit of these is that the guts are already there, a systematic review of the policies by your information security team can launch them for your organization.
If you go this route though, ensure the source is one that’s trustworthy (and has seen success with the plan they’ve written) and that the plan works for your business specifically (don’t just throw your organization’s name in there and call it good).
Don’t Over Complicate It
Complexity is the enemy of security. If your policies are too complex, they’ll be harder to adopt and even harder to follow as an end-user.
Determine what your policy is really trying to address, and tackle it simply.
Here is an example policy around Clean Desk:
It shall be the policy of COMPANY that all workforce members shall maintain clean and orderly office work areas and desks that are clutter-free in order to protect paper documents that might contain sensitive information about our patients, customers, and vendors.
A clutter-free office and desk project a positive image when customers visit our facilities and reduce the threat of a security incident as confidential information will be locked away when unattended. Sensitive documents containing PHI or proprietary information should not be left unattended and in the open as these documents could be stolen.
That’s a mouthful… Now, let’s simplify:
• Computer workstations must be locked when the workspace is unoccupied.
• Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the workday.
Both policies said essentially the same thing–which was easier for you to read and understand?Evan Francen in Simplify with Cyber Security Fundamentals
Form a Committee
To avoid too many cooks in the kitchen (or the wrong cooks altogether), form a committee of people in charge of forming your information security-related policies.
If those people are vested and interested in helping, it will increase the success of their adoption across the company.
Plus, it eliminates the issue of having your leadership team implement policies without at least the input of your other department representatives.
Meetings and committees, huh? As dull as that sounds, they really are effective ways to garner support and ensure success with your policies.
Just like watching a witty comedy film, it’s not often you catch everything on your first pass. The ability to go back through and review and pick up on some of the things you missed serves great benefit when it comes to the success of your data security policy adoption.
Tell Your Staff
Establish clear and consistent communication methods for new and updated policies.
Also consider how you will communicate policies to their contractors and vendors who play an information security role.
Consider a vCISO
Put simply, all of these things are much easier to manage when done by someone who lives and breathes information security.
It’s a virtual chief information security officer’s (vCISO’s) job to understand the inner workings of your business in order to provide proper security recommendations.
To do so, they focus heavily on working with your internal department leaders to come up with objectives and methods for reaching them based on your biggest security risks.
Then, they work with your executive leadership team to get buy-in, but also to report on the results along the way.
Our vCISOs have in excess of 200 years of experience solving problems in a variety of verticals. We have most likely worked through similar problems to what you are struggling with today.
Therefore, the policies, plans, and successes they’ve already created or seen will provide a roadmap to help grow your security program in a meaningful way.
So, now you know what policies are, why they’re important, what the challenges are for implementing policies, and how you can get over some of those challenges.
What does it look like when an organization gets this right?
Southwestern Community College (SWCC)
When SWCC began working with FRSecure, it was conducting business much like it had for the last 20 years. The college had practices in place that it thought were best practice, but in reality, its team had stopped adapting to the current security landscape—which could have proved detrimental in the event of an incident.
With an IT department recognizing this (and the importance of keeping the sensitive data stored on their servers safe), SWCC went looking for guidance related to best practices and policies that could ensure a safer environment for individuals and technology.
Policies were an important part of this.
“Prior to [the policy] project, the SWCC IT department had practices in place for certain situations,” said Scott Helm, SWCC’s Director of Information Technology.
He added, “Policies are utilized so that all college employees know what is expected of them, and what to do if they come across certain situations. Now, the college has policies in place for all employees to follow.”
A Full Set of Information Security Policies
SWCC worked hard to adopt what we’d consider a complete set of policies.
FRSecure has 18 total data-related policies in what it considers to be a full set. You can imagine the effort and coordination it would take for an organization to adopt all of them successfully—and SWCC was able to do it.
A dedicated committee for completing data security policy work and making/implementing decisions on-site was a key driver for the success of this policy adoption project.
SWCC had representation from five departments on the planning committee.
“This allowed for ample input and varying viewpoints related to how each decision would affect all groups and departments on campus,” Helm said.
He added that it also assisted the IT department in making sure that all of the new policies would work the way they were intended to—without disruption of services to any department in the process.
Many people hear the words ‘committee’ and ‘meetings’ and cringe. But done right and tackling the right tasks, these can be incredibly valuable tools for the success of your security program.
SWCC saw success in their meetings through the cadence, agenda, and openness.
Meeting monthly, SWCC was able to implement a lot in a shorter time. Plus, it increased their chances of being nimble. Organizations that meet semiannually or annually simply aren’t giving themselves the ability to pivot easily as changes happen within the environment.
A tight agenda kept the meetings on track—ensuring time was well-spent. But, the agenda wasn’t always meant to be completed in full. As a group, SWCC’s team wanted to keep an open conversation.
“We, as a group, wanted helpful dialogue and discussion on these policies to make sure they accomplished what we intended them to accomplish once they were put in place,” Helm said.
It was the combination of the cadence, agenda, and open dialogue that made and continue to make these policy meeting for SWCC a helpful exercise.
Getting Leadership Involved
A key to the success of the meetings was getting college administration involved in the committee. Not only do they provide valuable perspective on the business, but adopting policies requires their approval.
Getting them involved and invested was critical to the success of this endeavor.
The Role of the vCISO
Working with an FRSecure vCISO on this project, SWCC was able to do two things:
- Utilize policy templates to speed adoption
- Get guidance and feedback about possible changes to the default template
The templates that the vCISO provided to SWCC gave them a good foundation to start building their policies with.
Having a deep understanding of the templates and how they can be successfully implemented in organizations, the vCISO was able to give helpful tips, information, and feedback as the committee worked to rework the policies for their own use and adoption.
Before the committee met each time, the vCISO would meet with Helm—the college’s information security officer.
This would allow for any issues to be discussed prior to the meeting so that it could be appropriately addressed by the committee, and also allowed time for the vCISO to guide them through areas in which they were unsure of what the best practices may be.
This relationship was key in the creating, implementation, and adoption of the full data security policy set for SWCC.
Next Steps for SWCC and Their InfoSec Policies
Now that the policies are in place and approved by the leadership and college administration, the challenge now becomes getting the employees to adhere to them in their daily activities.
“Now that policies are in place, IT staff have to work diligently to get all employees on board and practice the new policies. The team will have to make sure employees are educated on the policy so that they can share ownership when it comes to the security of their own and student data,” Helm mentioned.
To do so, Helm and the SWCC IT department will be relying on the college’s human resources (HR) department (who was included in the committee) to implement and conduct mandatory training videos for employees to watch that will be related to the information and cybersecurity topics included in the policies.
Despite the importance of formalized policies to the success of security programs, many organizations fail to adopt a full set of policies. But, we’ve seen instances of companies making drastic improvements to their programs just by doing so.
With roadblocks in writing, simplification, and getting buy-in from leadership, it can be incredibly difficult to move the needle on implementing policies.
By approaching your data security policy projects with a similar structure and determination as SWCC, you can take a daunting project and turn it into a successful endeavor that pays incredible data security dividends.
If you’re interested in assistance with your own policy project or would like to consider FRSecure for vCISO services, please visit our site to learn more.