IT security policies are to the enterprise what rules are to children. Initially, they force you to recoil and complain, but as you grow older, you begin to value their importance.
When done correctly, security policies codify the basic contracts and procedures needed to ensure a company runs safely and efficiently. Well-executed security policies power a company’s success by providing a concise statement of management intent. They are a how-to, quick-start guide for an organization’s security program. IT security policies help ensure employees know what is expected of them and executives have clear guidelines and requirements.
Security policies also serve as a foundation for standardized information gathering (SIG) shared assessment questionnaires and other vendor assessment questionnaires, which are becoming increasingly more important for doing business today.
To ensure IT security policies do what they are created for, they must be up to date and reviewed and updated on a regular basis. Need to create brand-new security policies? Or update your stale, old security policies into vibrant, relatable policies that help guide your company to success? Here are five best practices to get you started.
1. Know what you need policies for
Policy requirements vary depending on a company’s size and industry. A global financial institution, for example, will have far more complex policies than a small accounting firm or even a cloud-native fintech. If your organization is part of a regulated industry, include all your assessor’s requirements in your IT security policies. If your organization is not regulated, NIST SP 800-53 Rev. 5 has an extensive list of controls, which include recommended policy guidance. Just keep in mind: If you’re not using a given control, you won’t necessarily need a policy for it. Also, NIST doesn’t list an acceptable use policy (AUP) for employees or contractors who access your systems, but this is an essential policy for all companies.
2. Be smart about policy reuse
Shared assessments and certifications are more important today than ever before given the increased focus on supply chain security. Most customers and partners will ask you to fill out an attestation form or SIG. Your policies are the basis for many of the answers to those SIG questions. Streamline the response process by modularizing your policies by creating sections that can be cut and pasted into SIG questionnaires.
3. Make them readable
Unless your employees are all lawyers, they’re probably not fluent in legal language. Take time to write readable policies for your intended audience — especially for policies requiring personnel action. For example, the AUP should be read by everyone at the company with the expectation they understand and follow it. A backup policy, on the other hand, can be more technical since it will be used by the IT team to inform its backup process.
4. Less is more
Many companies adopt extremely long, exhaustive policies. The problem is twofold. First, if it’s too long, no one is going to read it. The second issue is even more serious: If your policy says your company will do something, it must do it. Spend time thinking about what your company can reasonably achieve. If it’s doing everything in its policy, the company will be ahead.
5. Keep them fresh
Don’t forget: Security policies are living documents. Your company will grow, technology will evolve and IT security policies will need to change, too. Designate a person or team to oversee policies, and have them set up a regular cadence for review and revision. While one or two people may lead the review process, it’s important they engage key stakeholders who are affected by the controls the policies apply to. This builds a culture of collaboration where policies are created by the company rather than “done to” people without input.