“The fewer rules there are, the more reasonable it is to expect people to follow them,” Heiser says. “If you want to add something, then take something out.”
While an annual review of security policies is common, especially where compliance rules are involved, some analysts believe the standards and procedures should be reviewed quarterly. “In general, for a large organization the absolute minimum is quarterly, but they should also be reviewed as needed,” Schwartz says. “If they discover a gap due to a change in the threat landscape, or get a new system HR system or move to the cloud, a new mobile environment – all of those events are going to trigger potential changes in policy.”
All new threats should be held up to established security policies to make sure they are addressed at the highest level. If they aren’t, then, “You have to have an executive leadership conversation on what do you want to do on principle” with the security team, legal, audit and compliance to determine the right course of action and then craft a policy, Bernard says. Once the security policy, standards and procedures are cleaned and up to date, make it easy for employees to find quickly, she adds.
One of the first things that James Baird did when he joined the American Cancer Society in October 2015 as vice president of IT security and compliance was to make the organization’s security policy easily accessible and searchable for employees. About 1,800 static PDF pages were replaced with HTML pages hosted on SharePoint. Topics are now easily searchable, and hyperlinks take employees from one policy to any supporting policies, or to a set requirements or guidelines.
When searching the acceptable use of Wi-Fi, for example, an employee will quickly find the policy and a link to list of standards, access points they can have, and brands they can use. “My goal is to give people the tools that they need to inform themselves and to investigate as much or as little as they need to in a policy,” Baird says.
The right balance of security policy and risk tolerance varies greatly with each organization, Heiser says. Having very specific policy goals is the starting point for governance, but there’s no data that proves what that optimal level of policy should be, he adds. “Once [a security policy] has been out there, you can go back and ask, did this have an impact?”
Sign up for CIO Asia eNewsletters.