Regardless of whether a policy is based on guiding principles or regulatory requirements, its success depends in large part upon how the organization approaches the tasks of policy development, publication, adoption, and review. This process is collectively referred to as the policy lifecycle. The responsibilities associated with the policy lifecycle processes are distributed throughout an organization. Organizations that understand the lifecycle and take a structured approach will have a much better chance of success with their cybersecurity practices. Let’s breakdown the Information Security Policy (ISP) lifecycle into further detail.
Even before setting pen to paper, considerable thought and effort need to be put into developing a policy. Once the policy is written, it still needs to go through an extensive review and approval process. There are six key tasks in the development phase: planning, researching, writing, vetting, approving, and authorizing.
- The planning task should identify the need for and context of the policy. Always have a reason for writing a policy document.
- Policies should support and be in agreement with relevant laws, obligations, and customs. The research task focuses on defining operational, legal, regulatory, requirements and aligning the policy with its objectives.
- The writing task requires that the audience is identified and understood by using plain language.
- Policies require security. The vetting task requires the authors to consult with internal and external experts, including legal counsel, human resources, compliance, information security and technology professionals, auditors, and regulators.
Once you have the “green light” from the authority, it’s time to publish and introduce the policy to the organization as a whole. This introduction will require careful planning and execution because it will set the stage for how well the policy is accepted and followed. There are three key tasks in the publication phase: communication, dissemination, and education.
- The objective of the communication task is to deliver the message that the policy is important to the organization. In order to accomplish this task, visible leadership is required. Security is not always convenient, and it is crucial for leadership to participate in the information security program by adhering to its policies and setting the example
- Disseminating the policy simply means making it available. Policies should be widely distributed and available to their intended audience. Due to confidentiality, certain policies may not always need to be available to everyone and should only be made available on a need-to-know basis.
- Company-wide training and education build culture. Information security policies should be thought of as a teaching opportunity with the goal of raising awareness and giving each person a tangible connection to the policy objectives. This should be coupled with ongoing awareness programs to reinforce the importance of policy-driven security practices.
The policy has been announced and the reasons communicated. Now the hard work of adoption starts. Successful adoption begins with an announcement, progresses through implementation, performance evaluation, and process improvement, with the goal of having the policy and implementation be expected behavior. There are three key tasks in the adoption phase: implementation, monitoring, and enforcement.
- The starting point of the implementation process is to ensure that everyone involved understands the intent of the policy and how it is to be applied. Decisions may need to be made regarding the purchase and configuration of supporting controls, and any capital investments need to be accounted for. A project plan many need to be developed, and always remember to keep management and affected personnel informed throughout implementation.
- Post-implementation, compliance, and policy effectiveness need to be monitored and reported. Mechanisms to monitor compliance range from application-generated metrics to manual audits, surveys, interviews, and violation and incident reports.
- Unless there is an approved exception, policies must be enforced consistently and uniformly.
Change is inherent in every organization. Policies must support the guiding principles, organizational goals, and forward-facing initiatives. They must also be harmonized with regulatory requirements and contractual obligations. The two key tasks in the review phase are soliciting feedback and reauthorizing or retiring policies.
- Continuing acceptance of information security policies hinges on making sure the policies keep up with significant changes in the organization or the technology infrastructure. Policies should be reviewed annually. Similar to the development phase, feedback should be solicited from internal and external sources.
- Policies that are outdated should be refreshed. Policies that are no longer applicable should be retired. Both tasks are important to the overall perception of the importance and applicability of organizational directives. The outcome of the annual review should be either policy reauthorization or policy retirement.
Have you already started to think about and develop an ISP for your organization? Download our Sample Information Security Program Template to get started with writing to put you on track to publish!
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene, founder of Sage Data Security, now part of Tyler Technologies, Inc. as Tyler Cybersecurity.