I have seen a variety of approaches to policy and control over my 35 plus years working in IT and Information Security. Few common design patterns have emerged. Some don’t want to over think it, while others see no organizational value in having it. Practically all end up having a library of conflicting and ineffective documents which must be regularly reviewed and acknowledged. There must be a better way.
I view policies as management’s intent and measures for effective business Processes. It starts and ends with Process – policies are just a means to get there. Unlike most policy infrastructure, Processes are what we actually do. They are functional, and define the context to which controls are inserted. Start by defining your process model and the catalog/repository where users can go to find them. If done right, from an audit/compliance perspective, Processes are management’s assertions of proper security. Specific to Information Security, I start by writing an Information Security Management Process during the Initial phase of the program.
At the same time, everyone needs to know that the institution intends to organize “programs” such as Information Security, Privacy, and Business Continuity. These are the Policies that define the key roles and responsibilities, and framework for planning, developing, operating, and evaluating the associated “program” controls. Program policies often support and demonstrate interdependence with other programs. All programs should have at least one Policy. For my program responsibility, I start by writing an Information Security Policy during the Initial phase of the program.
The true measures to any program are Standards. Standards describe the control characteristics that must exist and how deviations must be governed. Unlike Process and Policy, Standards are written for those responsible for the controls. Every control environment has a set of custodians. Standards allow custodians to develop, operate, and continuously evaluate the controls in their area of responsibility. For Information Security, I model my Standards to the practice domains of ISO27002 and evolve the documents over time during the Developing phase of the program.
Last but not least are Procedures. Procedures are the administrative steps to achieve control. For Information Security, they prevent, detect, and react to adverse events and incidents. Not every method needs to be formalized and written into a Procedure. Unacceptable risk and compliance factors often trigger their creation. Procedures detail a sub-process so it can be independently verified.
Donald Borsay is the owner and principal consultant of Securitybeat Advisors LLC.
Leave a Reply