Security frameworks

The awareness and training materials for July will cover 'security frameworks', at least that's the working title at present. It may change as the scope is refined and the materials come together during June.

In addition to public standards such as ISO27k and NIST SP800, we plan to cover the internal frameworks or structures for information security within the corporation, important elements of information governance plus information risk and security management. I'm talking in particular about corporate security policies.

We are currently reviewing and revising our suite of generic information security policy templates, partly for subscribers as part of July's module. We routinely create or revise one or more of these templates each month in connection with the month's awareness topic, a systematic maintenance process that keeps the individual policies up to date. However it is a piecemeal process, meaning that changes may be required to several existing policies when a new one (such as the whistleblowing policy) is added to the suite, or when a policy is extensively revised. We don't always have the time and energy to ensure that all the changes to all the templates are identified and made, consistently, each month so that's something we're doing now: a full review and update of the entire policy suite.

With 70+ security policies in the suite, it's quite difficult to ensure that they all remain consistent, properly referencing each other. Take for example the policy on security awareness and training: that refers to several other policies ...

Since the assurance policy, for one, is cited in the security awareness policy, they are clearly related and relevant to each other, implying the need for each of them to reference the other ... and so on with all the other policies.

We've created something of a maintenance nightmare for ourselves here, a fairly complex mesh of security policies with lots of linkages or dependencies. 

A few years back, we handled this situation with our original Information Security Policy Manual, a substantial tome based originally on the ISO/IEC 27001 and 27002 standards. 27002, in particular, has numerous cross-references to related controls embedded within it, which in the policy manual we hyperlinked to the relevant parts of the same Word document. That worked nicely in practice for maintenance purposes ... but the 'substantial tome' was not so easy to read, understand and implement due to its sheer size. It topped out at something over 120 pages. Revising the entire manual to reflect the updated ISO27k standards released in 2013 also turned out to be too hard. 

After a year, we admitted defeat, shifting instead to the present approach with individual "topic-based" policies of just a few pages each, albeit more than 70 of them meaning something over 200 pages in total. 

Each policy starts with a clear title and succinct summary, defines its scope and applicability, lays out one or more axioms (broad security and control principles relating to the control objectives specified in the ISO27k standards), a page or so of detailed policy statements plus the table of references to related standards etc.

So if someone wants to know about the organization's policy on, say, security awareness, they simply dig out and read the 3½-page security awareness policy. They might also explore the referenced policies, procedures and awareness materials for further information ... or not.

Now, we're exploring ways to re-integrate the policies:

• We already have partial integration through the overarching Corporate Information Security Policy listing out the axioms. We could also list the policies, except it then becomes lengthier and another maintenance burden as the policy suite continues to evolve. 
• We might generate a 70x70 matrix listing all the cross-references between all the policies - that's about 5,000 potential cross-references to create and maintain! Oh boy. A spreadsheet would cope but I'm not sure I would!
• A master MS Word document containing all 70 policies as sub-documents is another possibility, turning all the cross-references once again into hyperlinks to ease navigation and maintenance while still allowing for the individual policies to be used in isolation. Word can probably handle all that but I have had problems in the past with such complex documents, and the risk of either me or the technology messing things up completely is quite scary. We have invested hundreds, perhaps thousands of hours into this edifice already.
• Some sort of automated system that can handle all the policies and dependencies as a suite would be nice, both for us and for our customers. Although a standard Document Management System might suffice, we're aware of, and have played a small part in developing, at least two commercial security policy and awareness management systems. 

Watch this space! If I have enough time and energy left over to blog this week, I'll mention something interesting, an internal structure emerging unexpectedly from the rather chaotic suite of policies, hinting at a conceptual framework.