SMotW #60: proportion of security policies up to standard

Security Metric of the Week #60: proportion of security policies that meet documentation quality standards 

There are two clear presumptions behind this metric: (1) there are 'documentation quality standards' which apply to the policies, and (2)  security policies are being or will be assessed systematically against the standards.  Both are signs of a relatively mature - and probably quite bureaucratic and well-structured organization.  Measuring the quality of security policies according to how many of them meet the corporate standards probably seems like a natural thing to do ... but is it really?  Or is it just needless red tape?

Most formal documentation quality standards specify requirements for formatting, layout and structure, since these are relatively straightforward to define, to implement and to audit against.  They are basically style guides.  The better ones go on to cover other far more subjective and frankly important matters such as readability.  The very best talk about quality, purpose and utility from the perspective of the readers and other stakeholders, implying that they are best placed to determine the value of the policies.  In that context, whether or not a security policy uses 12 point Tahoma is of little significance if the content is so obtuse and jargon-riddled, or if it essentially covers a non-issue, that nobody is going to pay it any attention anyway.

This, then, is an example of a bureaucratic metric, potentially of some operational value to the quality assurance function tasked with evaluating and reporting the quality of security policies but of little relevance beyond their domain.  The PRAGMATIC ratings reflect our poor opinion of this metric as a measure to improve the governance, management and maturity of information security:

P
R
A
G
M
A
T
I
C
Score
66
47
79
45
74
38
44
50
35
53%




A better alternative might be to get the intended audiences and interested managers to assess and measure the quality of the security standards, and in so doing identify the characteristics of good vs bad policies.  Slipping those characteristics into the corporate style guide, along with good and bad examples to push the point home, is more likely to achieve genuine progress, in our opinion, than measuring compliance with the documentation quality standards.