Effective Security Policy Management – Part 1

How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night?

This is the first article in the series: Seven Elements of an Effective Information Secrurity Policy Management Program. (Find more on this in our Security Policy Whitepapers) In this series we review seven key characteristics of an effective policy management program. These characteristics are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this quick checklist to evaluate the maturity of their existing management program.

Part 1: Written documents with version control

Even though it seems obvious, nearly every information security standard and framework specifically requires information security policies to be written. Since security policies define management’s expectations and stated objectives for protecting information, policies cannot be “implied” – but have to be documented. Having a “written policy document” is the first key control established within the international standard ISO/IEC 1-7799:2005, and is critical to performing both internal and external audits. But what are some characteristics that make for an effectively-written policy document?

Policy documents should be written in plain and simple language. Many information security and privacy policies are written in legalese that is difficult for end users to read and understand. Since user education and training is a key component of all information security frameworks, clear, user-oriented language is critical. If your information security policies are written by either the information technology (IT) or legal department, make sure you employ a technical writer or other editor who can help simplify the language of your documents.

Policy documents should also have a standard format so that they can be effectively managed and updated. The standard format not only enforces consistency among documents, it ensures that each document contains key elements that facilitate the overall management of the information security policies, such as the owner/author, title, scope and effective dates of the policy. Written documents should also have a policy version number. A policy version number clearly articulates which version of the policy is in force at the time of publication, and helps maintain a version history of each document. Maintaining a version history is not only good practice for preserving digital evidence in case of a lawsuit, it also demonstrates that the organization was performing due-diligence by updating its security policies on a regular basis.

In order to facilitate a clear document history that can be reviewed by auditors, some form of access-controlled document management system should be used. It can be as simple as folders on a network drive or a full-blown document management system. Complete systems usually provide a detailed audit trail of all changes and updates to documents.