Weaving strategies with policies

I mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today.

Warning: your blinkers are coming off. Prepare for the glare.

Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel), it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technologies - in particular the cloud (since about 2000) and, of course, IT (since about 1970). 

Thinking about it, the very concept of 'office work', or indeed 'work', stretches back still further, along with 'business', 'commerce', 'profit' and 'money'. Gradual shifts in human society on an almost evolutionary scale have led to where we are right now ... and will continue going forward, presenting strategic challenges and opportunities to those who are awake to the possibilities ahead (both positive and negative), sufficiently resilient to cope with adversity yet resourceful, strong enough and well-positioned to surge forward when it makes sense.

In some organisations, policies and practices for home/virtual working were hastily developed and adopted during and in response to the COVID outbreak. In others, either the policies and practices were already in place, or there was no specific need for them since flexible, tech-enabled working was very much the norm already. A few laggards are still struggling to catch up even today, and failing to thrive in adversity may mean failing to survive in perpetuity. 

[Aside: how on Earth can today's politicians justify holding a climate change conference as a physical, in-person event, during COVID no less, rather than virtually, on-line? Are we even on the same planet? Shakes head in disbelief.]

The relation goes both ways: policies can prompt strategic changes, and vice versa. Thinking forward, virtual working presents opportunities for global collaboration on an unprecedented scale, with reduced costs, increased efficiencies, access to a global talent pool and of course global markets. 'Globalization' is not just about establishing a widespread physical presence and brands: it's also about harnessing a widely distributed and culturally diverse workforce, harnessing technology to link, leverage and exploit the very best of the best.

 

From the information risk and security perspective, virtual working is both a nightmare and, again, an opportunity ... so, how things going with your security strategy development, dear CISO? What can be done to facilitate secure virtual working? How can virtual working benefit information risk and security? How will you satisfy the changing governance, compliance and assurance requirements in a virtual world? What about the technology risks, not least our ever-increasing dependence on the Internet? And are you looking to exploit information security knowledge and expertise in all corners of the world, or are you still chasing the evaporating pool of local talent? As well as infosec policies, what are your business policies for managing the information risk security function?

 

Virtual working is just one of several strategic issues. What else is going on in the world of information risk and security? I have in mind the Internet of Things, of course, the proliferation of smart, autonomous devices raising all sorts of security concerns and, again, opportunities for smart execs (e.g. additional streams of security-related information from distributed, mobile networks of things, like for instance monitoring the locations and activities of the virtual workforce, and all its digital gizmos, for anomalies). So-called artificial intelligence and machine learning are gaining traction, with robotics no longer the realm of science fiction. Automation and technology, in general, have been driving societal changes on an evolutionary timescale, ever since our primitive ancestors started wielding rocks and sticks as tools and weapons, harnessing animals to carry loads and pull wheeled carts. What's to come, and how can we be a part of it, actively driving innovation and exploiting changes rather than purely being driven and exploited?

 

[Aside 2: I pity those of you with "cyber" on your business cards, particularly if you report to the CIO, CTO or some other manager swimming endlessly around the IT fishbowl. Technologies are just tools to craft things of beauty, utility and value. Sure, shiny tools help get the job done, but aside from the glint they are pale and insignificant compared to the products. Context matters.]

Having mentioned 'exploitation' in a positive sense a couple of times already, I can't help but think about the flip-side i.e. our being exploited by third parties, or indeed by malicious insiders. This is an area where information risk and security professionals have specialist knowledge and expertise ... but we are not the only ones. We have plenty to learn from our colleagues working in physical security, fraud prevention, law enforcement, audit and assurance, privacy and compliance, human resources and behavioural science, to name but a few - and, again, virtual working opens us to global collaboration ... just as virtual working among the criminal fraternity opens us to global exploitation, prompting yet another potential thread to our information risk and security strategy. What controls are appropriate to contain the risks in this domain? Which security policies would best help us dodge the hail of bullets coming from all directions? What about the residual risks, not just those we consciously accept but those we don't even appreciate exist?

And that's another thing. Do international standards and methods feature in your security strategy? Are you looking to ignore, adopt, comply with, be certified against, proactive exploit or even get engaged with the ongoing development of the ISO27k standards, for instance? There's a substantial range of possibilities with strategic, tactical and operational elements and, for sure, business implications. Are you going to be forced, kicking and screaming, into ISO/IEC 27001 certification by insistent business partners and legislation for fear of losing out on lucrative contracts and sales, or will you seize the initiative in 2022 to invest in a more systematic, structured approach to information risk and security management, on your own terms, under your own control?

As you consider the threads I've brought up and others in the context of your own organisation and personal situation, remember that we are not the only ones thinking strategically at this time of year, preparing our cunning plans, proposing initiatives and often requesting substantial financial investments to make real progress in information risk and security. 'Protecting information against information risks' is a necessary but insufficient strategic goal without something along the lines of 'and enabling the legitimate exploitation of information to add value to the business' ... which hooks firmly into the strategy development going on all at the same time around us. Are our colleagues in IT, finance, HR, operations, marketing and other functions even considering the information risk and security aspects to their cunning strategic  plans? Wider still, what about our (global!) business partners, suppliers, customers, prospects and regulators? How can we help and support each other? What about those opportunities to exploit third parties' strategic weaknesses (being oblivious to the business value of ISO27k, for instance)?

Good luck weaving your way through the maze of possibilities!

I'll leave you to contemplate the challenge of building a policy pyramid on the moon. Seen from space, the Earth is a rather small, insignificant planet, 'mostly harmless' indeed.  Even 'Think global, act local' seems somewhat parochial these days, so what is your vision for the future, your rallying cry as you lead the troops to new horizons and beyond? Are you thinking broadly enough? What excites you so much about the future that it can't help but engender enthusiasm and support from your executive colleagues and (we hope!) the budget to 'make it so'? Is 2022 your year to go on the offensive, shrugging off the defensive, reactive, backward-looking cloak of more traditional approaches to information and even cyber security?

Topic-specific policies 12/11: concluding the series

Congratulations on completing this cook's tour of the topic-specific information security policies in ISO/IEC 27002:2022 (forthcoming). Today we reach the end of the track, reflecting back on our journey and gazing forward to the next objective.

Through the blog, we have stepped through the eleven topic-specific policy examples called out in clause 5.1, discussing various policy-related matters along the way: 

0.  Introduction: an initial overview of the classical 'policy pyramid'. 

1.  Access control: 'policy axioms' are key principles underpinning policies. 

2.  Physical and environmental security: ignore these aspects at your peril!

3.  Asset management: using templates/models to develop your policies.

4.  Information transfer: consider the business context for policies. 

5.  Networking security: risks associated with data and social networks.

6.  Information security incident management: unique or general?

7.  Backup: there's more to information risk management than cyber!  

8.  Cryptography and key management: important for some but not all.

9.  Information classification and handling: not as useful at you might think.

10. Management of technical vulnerabilities: is that patching?

11. Secure development: development of ... what? Lots of potential here!

Although these eleven examples from the standard (twelve if you include the 'information security policy') and my blog pieces may set you thinking, developing information security policies to suit your particular organisation is more involved in practice than dashing off a dozen policies that someone has suggested. 

Take a step back to contemplate your organisation's requirements and priorities, and consider the policy pyramid as a whole, top-to-bottom, taking in all the layers. Some policy matters are best expressed in training and awareness materials, or in work instructions, or by verbal direction, or in 'acceptable use policies'  and other guidelines. Some are so critically important that it makes sense for management to formalise and explicitly mandate them through the higher level policies ... and then refer to and explain them in the supporting guidance. Some are so specific in scope that a debate with those directly implicated, plus appropriate metrics to confirm that management's will is being satisfied, may achieve at least as much as written policies without the associated documentation, management and maintenance costs.

Aside from the governance, risk and compliance aspects, it's worth asking how the infosec policies will complement and support other controls - including those in related areas such as HR, ethics and IT. Most of all, how can you squeeze more value from your policies? Designing, building and maintaining a coherent suite of information security policies is a substantial, costly undertaking: maximising the benefits and opportunities for the organisation while minimising the associated costs and risks is no simple matter.  

When published early next year, ISO/IEC 27002 will have about 150 pages on hundreds of individual controls (since, although there are just 93 clauses, numerous 'atomic controls' are mentioned in the details within each clause). Having covered about half a page and just part of one clause here, I could blog away merrily about the remainder in a similar vein  for the next few years ... but I have neither the time or inclination to do so. 

I firmly believe the ISO27k standards are worth studying, interpreting, contemplating and adopting sensibly, in whatever ways best align with your business and information risk/security situation: mere compliance, especially at a superficial level (such as having just those 12 policies), may be simple but is almost certainly sub-optimal. You'd be wasting value.

Talking of which, having provided links in the blog to individual policy templates corresponding to the examples, we offer many more through SecAware.com, including a full set of 80. The SecAware policy suite encourages you to take a comprehensive, business-oriented, coherent and integrated approach to your information security policies, as described here in the blog. Best of all, the policy suite is currently on sale at half price.

Just to be clear, these are generic templates, the building blocks from which you can easily construct custom policies. You probably don't need all 80, at least not yet, but starting out with a complete set of templates, all written to the same consistently high standard by a single, competent and experienced professional author, sure beats the usual piecemeal approach caused by having whoever happens to be available draft additional policies as and when required.

Over time, well-managed policies are updated in tandem with the organisation's evolving needs and the developing information risk and security landscape.  I am keen to maintain our policy suite likewise, so if you need a topic-specific information security policy that apparently isn't already included in the SecAware suite, please get in touch. If it is likely to be of value to other organisations too, I'd be keen to research and draft something appropriate for you.

OK, that's it from me. Run along and good luck constructing a policy pyramid to rival Egypt's finest.