Topic-specific policies 12/11: concluding the series
Through the blog, we have stepped through the eleven topic-specific policy examples called out in clause 5.1, discussing various policy-related matters along the way:
0. Introduction: an initial overview of the classical 'policy pyramid'.
1. Access control: 'policy axioms' are key principles underpinning policies.
2. Physical and environmental security: ignore these aspects at your peril!
3. Asset management: using templates/models to develop your policies.
4. Information transfer: consider the business context for policies.
5. Networking security: risks associated with data and social networks.
6. Information security incident management: unique or general?
7. Backup: there's more to information risk management than cyber!
8. Cryptography and key management: important for some but not all.
9. Information classification and handling: not as useful at you might think.
10. Management of technical vulnerabilities: is that patching?
11. Secure development: development of ... what? Lots of potential here!
Although these eleven examples from the standard (twelve if you include the 'information security policy') and my blog pieces may set you thinking, developing information security policies to suit your particular organisation is more involved in practice than dashing off a dozen policies that someone has suggested.
Take a step back to contemplate your organisation's requirements and priorities, and consider the policy pyramid as a whole, top-to-bottom, taking in all the layers. Some policy matters are best expressed in training and awareness materials, or in work instructions, or by verbal direction, or in 'acceptable use policies' and other guidelines. Some are so critically important that it makes sense for management to formalise and explicitly mandate them through the higher level policies ... and then refer to and explain them in the supporting guidance. Some are so specific in scope that a debate with those directly implicated, plus appropriate metrics to confirm that management's will is being satisfied, may achieve at least as much as written policies without the associated documentation, management and maintenance costs.
Aside from the governance, risk and compliance aspects, it's worth asking how the infosec policies will complement and support other controls - including those in related areas such as HR, ethics and IT. Most of all, how can you squeeze more value from your policies? Designing, building and maintaining a coherent suite of information security policies is a substantial, costly undertaking: maximising the benefits and opportunities for the organisation while minimising the associated costs and risks is no simple matter.
When published early next year, ISO/IEC 27002 will have about 150 pages on hundreds of individual controls (since, although there are just 93 clauses, numerous 'atomic controls' are mentioned in the details within each clause). Having covered about half a page and just part of one clause here, I could blog away merrily about the remainder in a similar vein for the next few years ... but I have neither the time or inclination to do so.
I firmly believe the ISO27k standards are worth studying, interpreting, contemplating and adopting sensibly, in whatever ways best align with your business and information risk/security situation: mere compliance, especially at a superficial level (such as having just those 12 policies), may be simple but is almost certainly sub-optimal. You'd be missing out on added value.
Talking of which, having provided links in the blog to individual policy templates corresponding to the examples, we offer many more through SecAware.com, including a full set of 80. The SecAware policy suite encourages you to take a comprehensive, business-oriented, coherent and integrated approach to your information security policies, as described here in the blog. Best of all, the complete policy suite is available as a package deal at half price.
Just to be clear, these are generic templates, the building blocks from which you can easily construct custom policies. You probably don't need all 80, at least not yet, but starting out with a complete set of templates, all written to the same consistently high standard by a single, competent and experienced professional author, sure beats the usual piecemeal approach caused by having whoever happens to be available draft additional policies as and when required.
Over time, well-managed policies are updated in tandem with the organisation's evolving needs and the developing information risk and security landscape. I am keen to maintain our policy suite likewise, so if you need a topic-specific information security policy that apparently isn't already included in the SecAware suite, please get in touch. If it is likely to be of value to other organisations too, I'd be keen to research and draft something appropriate for you.
OK, that's it from me. Run along and good luck constructing a policy pyramid to rival Egypt's finest.