‘When was the last time you reviewed your information security policies and procedures?’ - I ask this question to many of my clients. The standard response that I get from the audit-weary CISOs is ‘annually’.
The ‘annual review’ ritual of information security policies is akin to the blind following of superstitions. You just do things in a way because it was always done that way. Here are the things that the annual review of information security policy focuses on:
- Review if there are any changes to personnel or designations - If the policy has names of personnel (not a good practice) and the person has moved on, the name is replaced by a current person. If the person doing the job has been promoted (he goes from AVP to EVP or from EVP to MVP or whatever), but still continues doing the old job, the designation is changed to the new one.
- Review if there is a way to handle the audit points by making changes to the policy - An auditor feels that something is not present in the policy and asks for it. The policy review team then adds a sentence or two to the policy, carefully wording it so that it does not add any work, just meets the audit requirement.
- Update the version control and review date - again for the benefit of the auditor.
I usually start by asking the CISOs about changes to the organization in the last couple of years. Usually there are a few major changes that every organization would go through in a couple of years. It would have new locations added, changes to the organization structure with responsibilities being juggled, automation of things with new software, changes to IT infrastructure, etc. My next question is “ Have you reviewed the policy in the context of these changes?” I can then tell from the expression of the person if these changes have been given any thought in the information security policy review.
The next part is asking about user feedback. Do users comment on complexity of procedures? Is there a constant cribbing about how long security processes take? If a user knows the process to be followed for any security process, but still chooses to ignore it, you must explore it further. Sometimes it may be because the user is a jerk, but mostly, it is because the process is too complicated or unclear. If what the user does looks like the right side of the above image, then you really need to rethink your information security policies and processes.
So, how does one go about reviewing their information security policies and processes? Here is a primer on how to review your information security policies and processes.
- Start with the information security policies. Collect all the policy documents related to information security. Read each of them line by line. For each statement of policy, check for the following:
- Does the statement talk about the ‘decision’ of the organization, action steps or guidelines to be followed? A statement like “Casual dressing is allowed only on Fridays.” - is a proper policy statement. “An organization needs to have a proper dress code to create an environment of professionalism, but also allow for a bit of fun.” - is not a policy statement. It does not convey the stand of the management nor does it provide any guidelines or action steps to the end user. Most policies become unreadable because of the urge of the policy maker to explain why a certain rule is in place. If the statement is an explanation, remove it. Remove the flab from the statement if it contains any. A statement like - “Storage space is at a premium and users shall be restricted to only 1 GB of space.” can be cleaned up to “Users shall receive a maximum of 1 GB of space on the file server.”
- Check for procedures and guidelines being mixed up with policies. For example: “Acceptable casual clothes include T-Shirts with collars” is a guideline, not a policy. “Addtional storage space shall be provided after the approval of the CISO and business head” is a procedure, not a policy.
This process itself should take a few days of dedicated effort. When you are done with cleaning up the policies, you should look at the processes that need to be followed. I will soon write about a few tips for reviewing and updating processes.