This post is in continuation to the previous post on simplifying information security policies.
The infosec world is confused when it comes to defining what a process is. Countless hours have gone by, when I have tried to ‘define’ a process to my clients. In fact, even among experts, there is a disconnect on the exact meaning of a ‘process’. Is it a set of activities to be done in a particular order? If so, then what is an activity?. If you are really looking for some entertainment about definitions, pick up the BS25999 and read the definitions of ‘process’ and ‘activity’. Without getting into the debate around the definition, let us try to look at it the practical infosec way!
For the purpose of this blog, I am going to use the terms ‘process’, ‘procedure’ and ‘activity’ interchangeably. There might be purists who might be offended by my blasphemy, but the objective is not offend anyone, but to simplify things.
When a new employee joins an organization, he generally has to do many things. Apart from getting to know new people, he is thrown head first into the organization’s bureaucratic machinery. He has to fill out forms for getting and ID card. He needs to find out the process to enter the building by obtaining a ‘temporary ID’. Before he figures out what is the best dish to order in the cafeteria, he needs to get a computer, an email ID, an employee ID and access to various systems and applications that his job demands. Many organizations try to make this procedure simple, but fail to do so. The new employee either gets frustrated or worse, he resigns to his fate and waits in the library till things are sorted out, all the while building up resentment for the company he just chose to join!
Every one of us would have come across procedures that an organization follows for information security that leaves us in complete frustration. How many times have we heard:
“I need to access the site NOW, not next Monday!”
This frustration probably stems from the following facts:
- User needs to access critical information from a particular site immediately, probably has some deadline coming up.
- He knows his AVP has access to it as it was the AVP who showed him the site and asked him to look at it as well.
- He knows that IT sometimes just provides access based on a simple e-mail request
- He knows that if his friend ‘Bob’ in IT was not on leave today, it would have been done immediately.
So what is the problem with the process?
- No defined (TAT) turn around time (External customers are given a TAT, but not internal customers)
- Unclear approval process (why do some requests need approval while some do not?)
- No clear steps to be followed (I need to call up the helpdesk to find out that I need an approval of some high flyer who is at the moment, well, flying!)
A very simple trick to writing great infosec procedures is to write a small table like this:
|To create a new user ID,
||a new joinee must
||fill up a form, get it signed by his immediate manager and
||submit to IT with a cc to HR
||on the date of joining.
|To request for access to a blocked URL
||an employee must
||provide a brief write up of the site to his immediate manager and obtain his approval
||before sending the request to IT. IT will forward it to CISO for approval.
||Upon receipt of approval, access shall be provided
Any procedure should cover these 5 points:
Of course, for more complex processes, it might take some additional information (in the form of additional steps or approvals or even guidelines) to make it effective. However, the basic requirements of any process remain the same!
Next up - when do we need guidelines!