Cybersecurity is one of the leading concerns among today’s executives and risk management professionals. Yet despite its importance, organizations still lack pragmatic cybersecurity policies and procedures. Even in companies with relatively sophisticated information security functions, written policies and procedures often are designed primarily for compliance purposes instead of functioning as practical, useful tools that can help proactively manage risk.
To be effective, cybersecurity policies and procedures must do more than merely help an organization achieve check-the-box compliance with regulatory requirements or security frameworks. Rather, policies and procedures should be a critical component of the overall information risk management effort, helping the organization to define standards and expectations, set direction, and proactively manage and mitigate cybersecurity risk.
Going beyond compliance
The rapid onset of the digital age generated major structural changes in the ways that many business processes are implemented and managed. Ideally, information security policies and procedures would help risk management teams address these fundamental changes by defining standards and providing direction on key risk management initiatives.
Unfortunately, the complexity of the regulatory environment often leads companies to focus first on achieving compliance instead of creating functional standards that can support critical cybersecurity programs. The situation is further complicated by difficulty in finding, recruiting, and retaining personnel, which often is exacerbated by an overall lack of resources that would enable companies to focus on a comprehensive policy and procedure initiative. Fast-changing technology, an array of disconnected legacy systems, and an evolving threat landscape add to the challenge.
As a result, many information security policies and procedures soon become “shelf ware” that might be adequate for compliance purposes but are of little use when threats emerge or issues arise – as they inevitably will. In such cases, organizations find themselves on the defensive, reacting to security events in real time rather than proactively managing and mitigating risk. In order to break this pattern and develop and implement pragmatic and effective policies and procedures, senior management must recognize the problem and set organizational expectations for risk management.
Developing a practical approach
Cybersecurity policies and procedures do not need to be prescriptive or excessively granular. However, they should be inherently practical by defining critical risk management program components and providing guidance to employees on their roles and expectations.
The first step in developing practical information policies and procedures is to define the specific goals of the effort. The senior risk management team must clearly spell out objectives so that the specific programs the team ultimately designs will identify, monitor, and address the most significant risks to the organization.
In many instances, this process involves a formal risk assessment, particularly in publicly traded companies or highly regulated industries such as healthcare or financial services. Other organizations with less stringent outside oversight might be able to use a less rigid or highly structured process, but in every type of organization, the development of cybersecurity policies and procedures should be a risk-based effort. Such an approach is necessary to identify both the threats to which an organization is particularly vulnerable and the areas of risk that have the potential greatest impact on the organization’s ability to pursue its strategic objectives.
With the goals defined, the next step is to inventory any existing policies and procedures that already are in place. Ideally, the development team could either apply or adapt some existing elements and use these as a starting point.
Often, however, the management team recognizes that the existing policies and procedures were assembled on an ad hoc basis, drawing on disparate sources that are inconsistent or incongruent. Many of the existing elements might not be relevant or applicable to current circumstances. In short, the team should not be afraid of starting over if necessary.
However, starting over does not mean working from a completely blank page. An important early decision is the choice of an appropriate policies and procedures template, which can provide a solid starting point. Organizations such as the SANS Institute have devoted significant resources to gathering the current best thinking among information security professionals without promoting specific vendors or products.
Bear in mind, though, that such templates require customization. Teams should avoid the temptation to just fill in the blanks and adopt a template verbatim. The right template can provide a useful framework and checklist of critical elements – but the elements themselves should reflect the organization’s specific requirements.
In addition to looking to a template for guidance, the risk management team should look for opportunities to collaborate with peers or partners in other organizations for further insights. It is also important to take a similarly collaborative approach in coordinating with other business units within the organization. Such units often can offer significant functional expertise to help enhance cybersecurity risk management.
For example, in a banking or other financial services business, the financial crime and fraud units will have valuable insights that can help with specific information technology risk initiatives. In public sector organizations, public safety personnel have extensive experience with crisis management. Such hands-on expertise is invaluable in formulating response plans for cybersecurity breaches.
Involving other departments in the development of policies and procedures can also help secure buy-in from stakeholders and ultimately facilitate compliance. As noted earlier, the policies and procedures should not be specifically prescriptive, but they should include clear end-user guidelines and well-defined expectations for employees regarding the handling of sensitive of information, password policies, acceptable use of personal devices, and similar issues. Input from those with day-to-day engagement can make it easier to develop guidelines that are both effective and realistic.
Other critical elements to incorporate include comprehensive incident response procedures, detailed third-party risk management policies, and clearly defined patch management policies and procedures. These components become even greater in importance as more and more information technology is outsourced to the cloud and other third-party providers.
Putting policies and procedures into practice
Even the most carefully developed policies and procedures will be of little value beyond compliance if they are not actively communicated throughout the organization and applied consistently. In addition to launching an initial deployment with visible support from the executive level, the risk management team should make sure that cybersecurity policies and procedures are communicated throughout the organization regularly and that operational personnel are aware of their specific roles and responsibilities. In most organizations, this communication can be accomplished through a combination of scheduled annual training and periodic refreshers that address targeted components.
Finally, it is important for all concerned to recognize that effective policies and procedures must incorporate a continuous improvement element. Instead of being a one-time effort to create a “set-and-forget” document, the development process must be ongoing and include regularly scheduled updates. Maintenance and adherence components should be incorporated from the outset and updated in every subsequent iteration of the program.
At a minimum, a comprehensive review of the policies and procedures should take place annually. Information security capabilities and technology are continually maturing, and the threat landscape is constantly evolving. Even more important, an organization’s risk appetite – as well as its long-term goals and strategies – will evolve as leadership adapts to changing conditions and opportunities.
Timely review is essential to reevaluate how well the policies and procedures address the current environment. In addition, regular and consistent testing is necessary to help verify the continued effectiveness of incident response program elements. All response components should be tested at least annually, using either tabletop testing or other recognized techniques.
The events of 2020 and 2021 have demonstrated how quickly and significantly risks can change – and how important it is to continually review and update policies and procedures to accommodate unforeseen events. The most effective risk management teams will use this process to do more than merely maintain compliance with regulatory requirements. Rather, they will engage the opportunity to define, develop, and implement practical programs for actively managing IT risks.