Policy management approaches
I'm researching (well OK, I've done a little Googling) how other, non-infosec policy suites are structured, accessed/presented and managed, for clues that might be relevant to ours.
First, financial policies. Funds for NGOs specifies "seven principles suggested by [unnamed] experts" as good practice:
"6.1 Principle of Financial Policy: While developing a financial policy it is a good practice to incorporate the following seven principles suggested by experts. These principles lay the foundation of an effective financial policy which would ultimately result into a healthy organization.
- Consistency: The financial policy should be consistent, which simply means that it should not allow manipulation of processes and systems. All the staff members should consistently adhere to the financial policy and there should not offer much flexibility. A consistent policy will ensure better accountability, transparency, better information dissemination and timely reporting.
- Accountability: The financial systems should be such that it makes the organization more accountable to its stakeholders. As an NGO all you should account for all the resources and its expenses. For this the policy should clearly indicate the procedures for reporting and publication of financial data.
- Transparency: An organization should disclose all its operation and provide necessary information to stakeholders. This means that the NGO should provide accurate and timely information to donors, beneficiaries and all relevant stakeholders.
- Viability: For an NGO to be viable in the long run, the policy should set in place a mechanism that would maintain a balance between its expenditure and income. For any organization to be viable it is important that team leaders are able to generate sufficient funds to continue the functioning of the NGO.
- Integrity: All team members should follow all rules set by the financial policy. As a founding member you should set precedence in following and adhering to all rules.
- Oversight: The policy should also provide oversight into the future and should accordingly suggest measures to cope with future challenges. This would include risk assessment; strategic planning etc.
- Accounting standards: The policy should be such that it incorporates valid national standards and protocols. The accounting systems should meet national and international standards of financial accounting and recordkeeping this would facilitate easy transactions between diverse funding strategies."
Their 7 principles concern ensuring and demonstrating compliance with external obligations, evidently a strong driver in the world of finance. The final recommendation to 'incorporate valid national standards and protocols' would make those external obligations an explicit and integral part of the financial policies.
For most of information risk and security, internal business drivers are arguably even more important than external obligations with a few exceptions (privacy for instance, plus integrity of the financial systems, processes and data). Thinking about it, the same point applies to financial management: making efficient and effective use of the organization's finances is at least as important as satisfying external compliance obligations, isn't it?
Talking of legal obligations, what about health and safety policies? The UK's Health and Safety Executive offers a simple policy template with just 2 pages:
The risk assessment page seems to be a working document used only in preparing the policy, hence the actual policy would typically be just the one page. The example has just 5 policy statements with brief explanations, specifying the responsible (actually, accountable) individuals for each policy statement.
There's a lot to be said for brevity (!) ... provided the policy is understood and followed in practice, placing much more emphasis on the associated awareness, training, compliance, assurance, oversight and monitoring activities, important supporting aspects not stated in the one-pager. The policy, then, is just a small piece of a bigger puzzle.
Brevity is a double-edged sword. A very brief policy gives a lot of latitude to workers in how they interpret and apply it, which can be a good thing but might be problematic depending on the circumstances. A major factor in health and safety is that workers literally have flesh in the game: it is clearly in their own personal interests to work safely and protect their own health. At the same time, the corporation has responsibilities towards ensuring its workers' health and safety (not just for legal and regulatory compliance reasons!) and workers have responsibilities towards each other, aspects that the example policies above don't cover. They seem narrow and naive to me but, hey, what do I know?
On that score, environmental protection is an area where both individual workers and the corporation have parts to play. Sony's approach to environmental policy, for instance, is quite complex with much more than the one-page health-and-safety example above ... as befitting a global organization with numerous national compliance obligations plus corporate objectives. For a start, Sony's environmental policy is part of Corporate Social Responsibility: it is not just an isolated or discrete policy matter but supports the corporation's wider aims towards society. This is a much more rounded and mature approach to policy.
I can envisage a similar hierarchical policy structure for information risk and security, guiding the whole corporation along similar lines. As with the health and safety example above, policy edicts from HQ would need to be generic, leaving individual business units and workers the latitude to interpret and apply them locally ... but not so much freedom that corporate policies can be totally ignored. That's definitely a challenging requirement for policies! Again, though, the policies themselves are not the whole story. Promulgating and enforcing policies involves the system of corporate governance and management.
Finally for today, Deming's PDCA cycle on the Sony page hints at the policy lifecycle. Someone has to specify, develop, check and authorize policies that are to be circulated and enforced, monitor compliance and effectiveness, react to changes by extending, maintaining and refining them, ideally achieving continuous improvement. The nice thing about systematic and cyclical improvement is that the starting point is irrelevant. If the policies start out woefully inadequate, the initial rounds of revision are likely to be step-changes, whereas later on the changes will be subtle refinements and tweaks. I sincerely hope our security policy templates enable customers to bypass the painful early learning stage, saving a small fortune and delay. We can't do all the policy refinement and management for you, but we can set you off to a strong start and support your security awareness and training activities.