Clearly Justify Your Information Security and Privacy Policies
I'm helping one of my clients with updating their information security and privacy policies, aligning them with ISO 27002, and creating new policies to fill gaps as necessary based upon the organization's risks. I was speaking with the CISO this week and he made a statement that I've heard many times over the years that really is a blockade to advancing information security within most organizations.
"I wish when the CEO rejects a policy he would tell me why. I know he's short on time, but it would help me do my job so much better if he'd just explain why."
Does this sound familiar?
I know many CISOs, CPOs and other information security and privacy leaders are also guilty of just saying "NO," without providing an explanation for why they came to that decision, whenever personnel ask for policy exceptions, ask to use new technologies, and so on.
You will not be as effective as you can be if you just tell your coworkers "no" in response to request. If you want to foster a cooperative and productive business atmosphere you should always explain why you have come to that decision, even if it does take you a little more time to provide the explanation. In the long run this explanation, and resulting understanding on the behalf of your requestor, will save you time by having better compliance and less overall ongoing questions for the same topic.
I know most of you think this should go without saying, but the reality is that most organizations don't provide an explanation for each policy, or the explanation provided is really lousy, such as, "Because the law requires us" or "Because the CEO says so."
No kidding...I've see both of these more than once.
Have you told this to any of your personnel?
The format of information security and privacy policies in most organizations do not typically allow for such explanation, or purpose. However, it is important to achieving buy-in, cooperation and understanding from your personnel to have this documented for them to reference. Such documentation is also critical and valuable for audits and regulatory oversight reviews.
I recommend if you do not have a section within your policy document, that you include a link that goes to a document that contains this information.
Most explanations justifying the need for information security and privacy policies should include at least the following three elements:
* The laws and regulations that require such policies. Explicitly name the laws/regulations, such as, "The Health Insurance Portability and Accountability Act (HIPAA) requires our organization to have safeguards in place to...(provide information related to the policy)."
* The threats to your organization that require such policies. Describe the threats that having the policies will mitigate. For example, "Because of the very large amount of malicious code, such as viruses, worms and Trojans, that can be attached to email messages, we require that all email messages be scanned for this malicious code to help prevent business disruption, damage to information, and..."
* The vulnerabilities within your organization that require such policies. Describe the inherent vulnerabilities within your organization that having the policies will help to address. For example, "Because it is so easy to lose handheld computing devices we must..."
Within your explanations provide links to definitions of terms, such as "virus," "worm," and "Trojan," that your personnel may not be familiar with.
Very importantly, do not write your explanations, or policies either for that matter, in techo-babble gobbledy-gook verbiage! Write in such a way that all levels of your staff, from the CEO down the entire org chart, can understand.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Here’s an approach that works: get the CEO to sign up to the idea of an ISO27001-certified ISMS, for all the business and legal benefits that accrue, and then use a policy and procedure toolkit that is designed to deliver conforming documents – and the CEO doesn’t tend to get too involved in any of the detail because you get sign off on a structure that only requires the CEO to really understand the top level policy and a small number of supporting policies – most of the detail goes into procedures that are approved much lower down the organization.
Posted by: Alan Calder | January 22, 2008 10:28 AM
Thanks for your message, Alan.
Your advice is good, and the approach is sound, but the challenge, at least here in the U.S., is that there is no motivation to obtain an ISMS certification. From the interviews I've done, CEOs are more interested in doing specifically what is required by law, and currently there is no law specifically requiring ISMS certification. Yes, obtaining an ISMS certification would result in being in compliance with around 80% - 90% of legal requirements (depending upon the ISMS scope), but certification is a large expense that most CEOs are highly reluctant to make.
Rebecca
Posted by: Rebecca | January 28, 2008 10:04 AM