How to design effective cybersecurity policies
Information security programs are essential to businesses and organizations as security incidents grow. The foundation of your security program is your cybersecurity policies.
Organizations need written policies and procedures relating to cybersecurity, privacy and information technology. High-quality documentation helps manage information and digital assets properly, protect the organization, improve security measures and comply with laws and regulations.
Unfortunately, policy and document work can fill security professionals with dread. Some view it as a long-procrastinated term paper assignment with a rapidly approaching due date. Many of us have spent time debating documents, paragraphs, sentences and words on the page — what do they mean, and what should they be?
Creating and updating cybersecurity policies can be productive and painless. This article covers five helpful components to help you build and shape better cybersecurity policies.
Laws and compliance requirements
Let's start with the legal and compliance function. Businesses need to comply with the law because it is the right thing to do and because non-compliance is costly and embarrassing. To follow legal requirements, we must first know what they are and ensure policies and procedures align with them.
Many rules regarding cybersecurity, privacy and data breach reporting apply to our information security programs. We call them external rules since they come from outside the organization. In other articles, I have discussed legal principles for information security professionals, including:
- Federal and state privacy and security laws
- Why infosec pros should learn about the law
- The foundations of our country's laws
- The CIPP/U.S. learning path for privacy and the leading privacy certification
Cybersecurity policy practices: existing and desired actions
Every organization does good things and can improve some things. Organizations should also stop some of the ways they work. We want to continually review what we do and what we should do. Next, we need to determine what we need to put into writing.
Existing and desired documentation: Internal rules
We need to document certain things to guide people and establish official rules and practices for the business. Even good people with good memories can forget what needs to be done. Organizations must document important information for effective management and to retain knowledge when employees are absent or leave their positions.
Recollections about what was said verbally will differ and fade, but a written policy, standard, or procedure remains in black and white. Furthermore, creating and updating policies is an opportunity for brainstorming and reflecting on how things should be done.
A legal compliance model
Copyright John Bandler. All rights reserved.
Those are three important concepts so far. We can depict them as the Three Platforms to Connect for Compliance, my legal compliance model for policies and practice. Once we understand and identify relevant external rules (laws), we can align the other two platforms to match.
Laws and regulations are understood, and the internal policies and procedures align with them, as do the organization's actual activities and practices.
Consider your business needs and mission
Copyright John Bandler. All rights reserved.
A compliance model is essential, but some view compliance as a nuisance. More to the point, no organization exists just to comply. They exist to fulfill their mission, often serving customers or clients and earning revenue. Information security professionals must ensure their security policies (and all their other work) fit with and advance the mission and other business needs.
This also means that we need to align four platforms. So that our policies and actions comply with the law and help achieve business goals.
Cybersecurity frameworks and guidance
Copyright John Bandler. All rights reserved.
We need guidance to build our governance documents properly. Guidance is not mandatory like a law or regulation but is optional, something organizations can choose to follow, in part, in whole or not at all. Cybersecurity frameworks are an important example of guidance.
There are many frameworks, including the National Institute of Standards and Technology (NIST) and their Cybersecurity Framework, Privacy Framework, and many other cybersecurity and information technology publications.
Other organizations have frameworks and guidance, too, including the Center for Internet Security and their Critical Security Controls, and from other non-profit and for-profit organizations.
If the other four components can be depicted as solid platforms, the fifth guidance component cannot since it is seemingly infinite and amorphous. A cloud suits it better.
Learn how to build better corporate cybersecurity policies
Cyber attacks are on the rise. Corporations need effective security standards, incident response plans and policies to improve security posture and reduce legal liability.
I was privileged to create a Corporate Security Policies Learning Path for Infosec. The training teaches how to analyze, create and improve cybersecurity governance documents. These documents include policies, standards, and procedures.
We start with solid foundational information and then cover the five essential components. We follow with guidance on planning and accomplishing your document project. I've even got a plan for when you have no time to plan. Of course, your documents are never "done" and perfect. You must read, refer to, update and improve them. We cover that, too.
Remember, your governance documents are the foundation of your security program, so take some time to ensure they are living up to their role.