Philosophical phriday: why have policies?
An interesting topic cropped up on the ISO27k Forum this week. In essence, the issue is whether a small, immature company without an Information Security Management System could or should have an information security policy.
Speaking as an infosec pro, the knee-jerk response is "Yes, of course!". Why do I say that? If SmallCo's CEO or owner asked me to explain, how would I justify my recommendation to have a policy? Hmmm.
Tag along or watch from the precipice as I dive into another rabbit warren.
The entire policy lifecycle diagrammed above is an involved - and costly - set of activities. There's more to this than one might think, and that 2-phase 15-step process diagram is not even complete.
So why bother? What's the payoff?
The same consideration applies to many other business arrangements, including an ISMS. Unless it supports/enables the achievement of business objectives and generates net value (benefits > costs over a reasonable timeframe), then from a business perspective it would be inappropriate - especially in a small organisation short of resources, heavily committed to developing its core business. There are almost certainly other pressing strategic priorities for SmallCo, other things to invest in, other concerns.
Aside from those extensive costs, understanding the business benefits of policies helps drive the entire process, from initiation forwards: what policies are required? Why? What are the business objectives? What is their purpose and scope? Who are they for? Who should own them? What are the options and alternatives? What's wrong with not having policies, or taking a different approach? When and where are the policies required? What form should they take? What should they say, exactly, and what should they avoid saying? Are we talking about one policy, one policy manual, an integrated suite of interwoven and cross-referenced policies, or Something Else? ...
Loads of questions here for management - which brings me to an important point: a policy is a formal expression of management's concerns and expectations on a particular subject, laying out 'the rules of the game'. But what if management has no such concerns and expectations? What if they haven't even thought about it, yet, and didn't realise the game was in play? What if they are confused, perhaps busy and distracted by other shinier things? What if 'the particular subject' is simply not on management's radar right now?
An audit would be one way to explore this, but a fairly costly and formal one. Alternatives include asking around, researching/exploring the pros and cons, reading about good practices, benchmarking, modelling (project, compare and contrast the future organisation with policies against the future organisation without policies), workshops, trials and pilot studies. There's even the dreaded Dr Google approach, perhaps grabbing something rudimentary off the web that seems vaguely as if it might possibly be useful, or splashing out on a set of policy templates without having determined the purpose and requirements (not recommended - not even for our glorious security policy templates!).
Another possibility is the do-nothing option: continue without policies and just see how things turn out ... which is how most organisations grow and mature, naturally, learning through lived-experience. At some point, typically following a serious incident involving the actual or apparent/claimed lack of management guidance/direction, the light will hopefully flicker on. Thinking this though before landing in that unhappy situation is a chance to get ahead of the game.
Or not.
One last thing as I scramble back up towards the light at the end of the tunnel: attitudes towards management, policies, rules, structure and compliance vary between people, within and between organisations, and across cultures. Some of us are naturally compliant, law-abiding, respectful of authority. Some of us aren't. Some see rules as challenges, deliberately bending or breaking them to exert their individuality and assert their independence. Most of us fall somewhere in the middle ground, our attitudes depending on circumstances and mood, including the possibility of being caught out. One consequence of that range is that policies are not guaranteed a warm reception, leading to further questions and aggravation ... which brings us back to the top. Why bother? What is to be gained and lost here? Is it worth the effort? I believe so, but would my explanation convince SmallCo's CEO?