Whether to satisfy compliance requirements or formally document information security practices, policy development is a necessary facet of every organization’s security program. Governance documentation, a term that is all encompassing for policies, procedures, and the like, assists with the definition of internal procedures and ensuring employees are made aware of their roles and responsibilities within those processes. While K logix is an expert partner in the development of governance documentation, it is imperative that our readers are equipped with the preliminary tools necessary to begin maturing a library of their own.
Policy vs. Procedure
As you know by now, “governance documentation” is often used in reference to policies, procedures, standards, and other forms of process-defining documentation. It can be easy to blur the lines between the varying types of documents, so for now, we’ll focus on distinguishing between the two (2) most commonplace: policies and procedures.
IT Glue defines a policy as, “a formal standard that provides direction on how an organization can go about its operations regarding a specific topic” (IT Glue). Think about your company’s Acceptable Use or Information Security Policy. Both offer high-level expectations about employee behavior as it pertains to the general work environment and the use of information security assets (i.e., data, hardware, software, etc.), respectively. The Acceptable Use Policy might discourage employees from accessing inappropriate sites while the Information Security Policy likely ensures employees may not use or access information systems unless expressly permitted. Policy statements are easily followable and set a baseline for employees to understand the basic principles aligned to each topic area.
Procedures, on the other hand, offer the detailed ‘how’ behind a Policy’s ‘what.’ “Procedures are step-by-step instructions that people within the organization must follow to implement an information security control” (InformationShield). Take Access Management, for example. An Access Management Policy might state, “access to non-public information requires both a unique user ID and a password.” A supplemental Access Management Procedure, then, should list the requirements a user must adhere to for password creation and updating (i.e., character limit, special characters, limiting password reuse, etc.)
Language
Now that we’re familiar with the distinction between policies and procedures, let’s talk about writing these governance documents. Policies, as we’ve mentioned, are high-level documents, so the language within them should encompass the spirit of simplicity, omitting extraneous language. For example, a statement within your organization’s Change Management Policy may address the need to assess changes for security risks. The statement might then read, “changes must be assessed for potential risks.” There may be an innate urge to expand upon that statement; ok, well, how are we conducting a risk assessment for changes? At what cadence? Who’s involved? That’s where the procedure comes in.
While procedures should also be written with an eye for conciseness, these documents are meant serve as a policy’s instruction manual. So, for every policy statement written, a more detailed explanation should exist in procedure. Using our latest example, the procedure statement might read, “The Change Advisory Board (CAB) is responsible for ensuring all changes undergo a formal, documented risk assessment to identify positive or negative risks regarding change implementation,” and so on.
Disregarding level of depth, both policies and procedures must adhere to the same ideology put forth by Yul Brynner…or RuPaul: as it is written, so it shall be done. Governance documentation is an auditor’s guide to how your Company carries out its processes. As such, using definitive language like “must” is typically discouraged unless the statement in question is unequivocally – and with supporting evidence – happening according to the document. Statements that use modal verbs like “should” or “may” loosen expectations, thereby allowing the organization to document ad-hoc processes without sacrificing audit success.
Ownership
Governance documentation sets expectations for all Company employees regardless of their affiliation with Information Security, so it’s imperative the documents are kept up-to-date and created as necessary to support organizational objectives. Formalization of this process begins with identifying the stakeholders responsible for governance documentation within the organization. Typically, this consists of the Chief Information Security Officer (CISO) and other members of the Senior Leadership Team (SLT) whose oversight may be required. Given most, if not all, regulatory bodies require policy libraries to be reviewed at least annually, it is always recommended that a representative from the Legal or Compliance team be involved in policy refresh activities. While these individuals are accountable for alignment of documentation to current practices, they must also be bastions of Company policy, facilitating enforcement across all levels of employees.
How K logix Can Help
Standardizing document types, formalizing ownership, and maintaining consistency are vital to the operational success of your organization’s governance documentation. Yet, while leveraging the sentiments outlined above help bolster or formalize document libraries, the process can be tedious; that’s where K logix steps in. Our Consulting Team has led dozens of successful Governance Documentation engagements, ensuring our clients receive customized documentation that is aligned with internal practices and identified frameworks (i.e., NIST, ISO, CIS). Further, our Consulting arm offers alleviation of end-of-year fatigue through Policy reviews that satisfy both internal and external review requirements.
Interested in how K logix can help you? Contact info@klogixsecurity.com for further information.
Subscribe
Stay up to date with cyber security trends and more