Information Security Policy Project Application

Once the information security policies are drafted, the policies must go through an approval process, organizational departments will require training on the policies, and additional policy application consulting will be required for some organizational departments. Figure 6.2 pro-vides an example of the application process for the newly developed or revised PSPs. There are three major phases of the policy application process with three tasks in each phase.

Phase 1: Policy approval. Once the PSPs are developed, the next phase is to seek formal approval. In addition to the draft policies, Figure 6.2 shows the step of creating a policy instruction sheet for each policy to aid in the review process. Figure 6.3 shows an example of a policy instruction sheet (or summary) that provides a single-page summary of the policy purpose, importance, audience, and high-level policy statements.

In smaller organizations, approval may be only a single step, but in larger organizations, approval must be sought through several steps, namely, security management review, department review, and board review.

• Security management review. This approval phase requires that the senior-most information security representative for the organization agrees with and approves the information security policy set, policy statements, and approach for policy governance. If the security policy set was developed within this department or team, then this task may have already been

Conduct training

Figure 6.2 PSP application process—example. The example information security policy applica-tion process involves policy approval, policy training, and policy applicaapplica-tion consulting.

completed with the completion of the draft policies, but if the policies have been created by an element of the team, another department, or an outside consultancy, then the senior-most security representative for the organization will have a formal approval process. The formal approval process may consist of a formal line-by-line presentation, discussion, and defense of

Figure 6.3 Information security policy summary—example. The policy summary provides a single-page summary of the policy purpose, importance, audience, and high-level policy statements.

each policy statement or it may simply be an offline review and revision of the drafted policies.

• Department review. This approval phase requires that the information security department of each organizational department receives a chance to provide input, clarification, or request modifications of the drafted policies. It is best to include these departmental representatives throughout the policy development process so that there are very few sur-prises. However, a formal and final review of these policies is typically necessary for organizations to take into account unique needs of each department and to help to ensure buy-in to the process.

• Board review. This is the final approval for policies but may not be necessary for standards and procedures. Policies are the statement of intent from senior management involving the secure use of organizational resources and protection of sensitive information. Therefore, senior management (e.g., the board or board delegate) must formally approve policy-level documents for the organization. Such approvals rarely include a line-by-line review but instead the board members typically rely on their own experts, subcommittees, and delegates to perform such a review and advisory role.

Phase 2: Policy training and consulting. Once the PSPs are approved by the security management, departments, and the board, training is required to provide appropriate guidance and understanding of the policies. Security policy training involves three steps: policy introduc-tion training, policy familiarizaintroduc-tion training, and policy tailoring and application training.

• Policy introduction training. Information security policy intro-duction training is generally limited to the objectives of policy development project, the basics of the security policy frame-work chosen, and an outline of the policies and policy con-tents. Such a training session is generally limited to 1–2 h.

• Policy familiarization training. Security policy familiariza-tion training explores each of the policies in more depth.

This includes a review of the roles and responsibilities for each policy and a step-by-step review of each of the

policy statements. Audience members will generally want to request an interpretation of some of the policy state-ments on their own information systems and/or comment on the impact of the policy statements on their department or information systems. Leaving time for such comments would require that this training take 4–6 h.

• Policy tailoring and application training. In addition to an in-depth policy training, many departments will require one-on-one training to discuss their own department’s approach to tailoring and applying the information security policies to their department and department information systems. This type of training should be tailored to the department’s spe-cific questions and concerns but a general set of slides cover-ing the followcover-ing elements should be prepared and used as a consistent set of guidance to all departments:

• Roles and responsibilities: Identify departmental roles (and names) to assign the roles and responsibilities from each policy. Example roles include department head, informa-tion technology lead, informainforma-tion security lead, and user manager.

• Department information systems: Identify department information systems, including system name, function, and boundaries. This should include a discussion of the trade-offs between defining many small information sys-tems versus several (or one) large system, and determining system owners.

• Adopting versus tailoring policy statements: Each policy statement may either be adopted (e.g., the department agrees with the policy statement) or the department can request a policy exception (see Section 4.2.2).

• Completing policy statements: Many policy statements may have been written to allow the department to specify, define, or assign an aspect of the policy statement. For example, consider the following policy statement: “The department information system automatically removes or disables temporary and emergency accounts after a defined time.” The phrase department-defined time is to be replaced with a time period department-defined

by the department. For each of these phrases in a policy statement, the department will need to complete the policy statement with its own input. In order to assist departments with these decisions, it may be useful to create a tailoring guide that is used with all departments to ensure consistent advice. See Appendix B: Example Departmental Policy Tailoring Guide for an example of an instruction to departments on how to tailor information security policy templates for use in their organization.

Phase 3: Policy application and consulting. Once the information security policy training is complete, individual departments may require additional assistance or consulting in the development or application of their information security policies. The following consulting tasks are recommended for assisting these departments with the tailoring and application of their information security policies:

• Develop a worked example: A worked example (e.g., a com-pleted policy set for a specific department) can provide other departments with guidance on how to complete a policy set.

It is always useful to find a department willing to be held up as an example in exchange for assisting them with the devel-opment of their own policy set. This set can then be used as a worked example.

• Provide policy tailoring assistance: If the advice given in the training is not detailed or clear enough, some departments may require assistance with tailoring a policy set for their own department and department information systems. Assistance may involve selection of compensating controls or the devel-opment of a risk-based exemption rationale.

• Provide policy application assistance: Once the policy set is tai-lored and accepted by the department, it will then be applied to the department and its information systems. This means the development of security controls such as policies, proce-dures, processes, access controls, encryption, etc. Additional assistance to organizational departments may be useful to the overall organization in this area.

EXERCISES

1. Consider your own organization’s information security policy set (or a set given to you by your instructor). Estimate the amount of time it would take to perform the following tasks:

a. Update the policy set to include the latest version of PCI b. Update the policy set for an update of the underlying DSS

framework (e.g., NIST 800-53, ISO 27001) c. Perform the review and approval process

2. When rearchitecting an information security policy set (e.g., creating a new set), why is it important to review the current set of information security policies?

3. What steps in an information security policy development project help to ensure organizational buy-in?

4. When adopting a new (or revised) information security pol-icy, many departments and/or information systems may be noncompliant with the new security policy statements because they were previously not required.

a. Is this a good reason for a department to request a policy exception?

b. What reaction would you expect from an auditor for new requirements for an organization that has recently adopted new information security policies (e.g., organization has recognized new requirements but not yet implemented them)?

10 9

Appendix A: Example Policies