By Alan Kowlowitz, NYSTEC Information Security Consultant
If you are an information security professional, at one point you will probably be expected to write security policies and standards for your company or agency. You already know why such documentation is important: failure to produce sound policies and standards could lead to a lack of compliance or security awareness—leaving your data vulnerable to security breaches.
Many excellent guidelines, models, and resources are available, making it relatively easy for you to develop sound policies. However, it remains difficult to write policies and standards that can be readily implemented and actually improve your organization’s security posture.
Equally challenging is getting the buy-in necessary from the technical staff that will actually be implementing the policies and standards you develop. You don’t want to invite these key stakeholders to review a draft policy when it is close to completion—there may not be enough time for you to address their concerns. Furthermore, the last thing you want to do is ignore their input, since they are the ones who work directly with the end users and staff who must comply with the security policies. It benefits everyone if you can leverage their expertise early and often in the development process.
So how do you go about getting buy-in and developing acceptable and implementable security policies and standards? Based on my 30-plus years of experience, I recommend these five steps:
- Write a plan for developing policies and standards. Include timeframes on how they will be developed and what areas of security they will address, as well as a generous amount of time for a review process that includes all the right stakeholders.
- Share this plan with your company’s technical managers. Request that they have their subject matter experts (SMEs) review each of the policy sections and technical standards. Maintain direct contact with the SMEs when possible so that the managers don’t serve as filters. Funding is always an issue, so involving those who understand the costs of implementing stronger security is critical.
- Consult with the SMEs to determine their concerns before you begin drafting policies and standards. Share outlines for each section—at the outset, if possible.
- Use an iterative approach to getting SME feedback on your content. Share only the relevant draft sections with SMEs so they are not inundated. Make sure they can see the revisions made based on their input. Work with the SMEs to frame the policy or standard element in the most acceptable terms possible. Be flexible, listen well, communicate often, and keep your focus on security outcomes rather than form, format, and method.
- Have the technical managers formally sign off on the completed drafts. Then send the drafts to senior management for approval.
These five steps may appear to be more time consuming and arduous than the development approaches you have used before. However, following these steps will greatly reduce implementation issues and result in policies and standards that are better tailored to your organization. Using an iterative approach and demonstrating an honest appreciation of technical issues will encourage technical staff to work with you to develop policies and standards that are acceptable and implementable.