Function of an IS Program
There has been a growing trend for organizations to use policy templates to build their policy documents and Information Security Programs. Using templates however may come with more limitations and exceptions. It is important for an organization to identify the business objectives, functions, assets, and risks that guide their Information Security (IS) Program. An Information Security Program is essential for an organization to establish cybersecurity readiness, which is assessed by examining a combination of items. Information Security staff members, management, and members supporting relevant operations must bear in mind that technical configurations and recommended software or hardware solutions are not the only components that are assessed to determine cybersecurity readiness. The organization’s written policies and plans that make up their Information Security Program must also be considered.
Purpose of Policies
An organization’s security policies have several purposes. Once written, policies are intended to define the organization’s goals and identify the parties responsible for supporting the organization in meeting those goals. Policies should have a defined scope which identifies who/where the policy applies, such as to a specialized group of employees or systems. A policy must include a standard (compulsory objective) and the actions and techniques necessary to execute the policy and enforce compliance for all appropriate staff members; this is also known as the procedures. Policies should identify security issues which may impact the organization’s goals and may also reference guidelines that present information on how to address requirements established by a legal and/or accredited authority. Common types of policies include the following: Hiring Policy, Termination Policy, Access Control Policy, Remote Access Policy, Audit Policy, Data Classification Policy, Change Management Policy, System Maintenance Policy, Acceptable Use Policy, Physical Security Policy, Personnel Security Policy, Incident Response Policy, and the Risk Management Policy.
Policy Planning and Templating
Some organizations may seek out guidance from a designated security advisor, third-party, or certified assessor to undergo a review process when drafting and implementing written policies. Others, likely in the interest of saving time and effort, may favor a Ctrl-C approach. This often involves downloading a policy template for a control framework online, (hopefully, replacing the insert company name here in the title page with their own company name), and finally adding management’s signature on the last page of the document. Those who adopt this templating or Ctrl-C approach favor a shortcut over ongoing efforts to establish a comprehensive Information Security Program with policies tailored to the organization’s needs and best interests.
Problems Resulting from Policy Templating
Risk, non-compliance, and poor resource planning are just a few of the consequences that can manifest as a result of using policy templates without reflection or any oversight. If a company chooses to introduce security practices referenced in a policy template without first identifying what is viable to implement in their infrastructure, they may risk purchasing products that are noted in the template to fulfill a compliance goal. However, these products may be inadequate or a poor fit for the organization. When establishing a service to provide protection against malicious code for instance, an organization should implement some endpoint protection solution. Depending on the size of the organization, e.g. one made up of 30 to 150 staff members, a solution like Cisco ASA FirePower may be appropriate. However, for larger organizations of 200 or more staff members, implementing a solution to accommodate a wider scope such as SolarWinds may prove to be the more serviceable of options.
Recognizing Different Control Frameworks
As mentioned above, the organization that relies on policy templates may do so based off of a false presumption that organization-directed procedures are globalized or one size fits all. This is a critical, misguided assumption especially when policy templates or samples are used as models in an attempt to create policies for control frameworks that are primarily descriptive. Descriptive control frameworks are those that offer guidance on the types of goals an organization may have to meet the criterion for security objectives rather than how the organization should standardize the specific, actionable steps taken to realize security objectives.
A non-prescriptive control framework may be considered as a more broad, high-level approach compared to its prescriptive counterpart. The CMMC or Cybersecurity Maturity Model Certification Framework is used to asses an organization’s standing in handling Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) for federal contracts. The CMMC Framework is an example of a non-prescriptive control framework. The Center for Internet Security (CIS) Controls Framework, which is used to assess an organization’s basic, foundation, and organizational cybersecurity structure is one example of a prescriptive control framework.
When understanding the difference between a non-prescriptive and prescriptive framework, it may be helpful to think about a real-world example. The COVID-19 pandemic has resulted in millions of fatalities since its initial outbreak in 2019. In 2020 requirements for implementing protections against COVID-19 in the United States were prescribed; these requirements were deemed mandatory in the earlier phases of the pandemic and specific, consistent actions were requested and completed in order to reduce further risks to the public. Businesses which provided services in spaces where large groups could gather, such as festivals and movie theatres were shut down. Curfews were enforced and masks were required for patrons to enter facilities and receive services; this rule extended to locations outside of retail and health care facilities. Conversely, in 2021, the United States was one of several Western countries that, after prescribing changes in safety precautions in the prior year based on CDC recommendations, would see laxer requirements. A non-prescriptive approach to COVID-19 protections would be offered across the U.S. as business owners would “use their best judgment to identify instances of potential COVID-19 contamination and ensure that such instances may be controlled or monitored”. This would leave it up to a business owner’s discretion to decide what measures may be implemented in response to concerns about the spread of COVID-19. These measures were variable for businesses and included processes to report COVID-19 symptoms, procedures for voluntary vaccination status disclosure, flexibility around the company’s hours of operation, and putting social distancing practices and remote communication options into effect.
Language and Judgments Impacting Policy Execution
A misinterpretation of policy guidelines or lack of understanding may also result from an organization’s dependence on policy templates. If a policy template is marked by language and references that the reader is not familiar with, then the use of that language and concepts which are not understood may be repeated and misinterpreted throughout the organization. When using templates, it is best to examine them for any nonessential concepts or superfluous language. Substance in addition to form are key elements of policy design. The policy reviewer should ultimately add language that is transparent and concise so that a reasonable staff member may read the policy, communicate its meaning, and follow the steps identified to enforce it. Any terms that may not align with the general body or tone of a policy statement or are regarded as supplemental information may be listed with their definitions on a glossary page of the policy document or within a footnote.
Excluding adopting a pragmatic review approach to address the language and interpretation of written policies, the organization must establish practices that demonstrate the ongoing communication of policy efforts. Policies must be designed and reviewed on a continuous basis. Any updates to a policy should be documented and accompanied by a revision version and date. Organizations that seek out policy templates without referring to other sources may focus less on the execution of the actions contained in their drafted policies. A policy that is neither followed nor actionable is rendered useless. The organization that focuses on policy templates may be less inclined to perform collaborative tasks and maintain regular discussions. This should not be the case as establishing periodic Board and Information Security Meetings or calls with leadership is important to provide discourse on policy changes and directives and to report on the organizational actions that have been taken to date.
Policy Education and Awareness
When speaking about Information Security, organizations who rely on templates may suffer also in failing to develop multiple parts of their Information Security Program. Security awareness and training is an area where a failure of this type could be disastrous.
The Security Awareness and Training Program is instrumental in preventing negative outcomes associated with poorly managed or uninformed user behaviors. Establishing not only a Security Awareness and Training Policy, but also a Security Awareness and Training Program is vital for the continuity of a business and the safety of its assets. The types of data that staff members may interact with in the organization, e.g. Personal Identifiable Information (PII) and Federal Contact Information (FCI) should be clearly defined and there should be a classification system in use to assist staff with this process.
Security awareness training may be conducted across several mediums, including seminars that are scheduled with subject matter experts to provide information on best practices, a company intranet site, or a video on-demand platform. Regardless of the method(s) employed to facilitate the training (general and role-based), the practices must address appropriate measures for educating users on risks pertinent to their environment. Training may cover practices for password creation and management, data handling, understanding developing security issues or advisories, physical security, reporting insider threats, portable storage device use, personal device use, and social media use. The Security Awareness and Training Program should be referenced periodically and as new staff members are on-boarded.
When writing policy documents, templates may be used as a reference or starting point but should not represent an organization’s goal post or final product. The expectations of a policy must be understood and proportional to the organization’s resources and anticipated business continuity plans. Communication, direction, education, review, action and organizational support from staff, including management are requisites for designing a workable policy and an authentic Information Security Program. No organization should be complacent in designing and analyzing their policies based on templates; this type of judgment misrepresents control efforts.
Vestige offers Expert cybersecurity compliance across numerous platforms. We are also a CMMC Registered Provider Organization with Registered Practitioners on staff. To learn how we can help with your cybersecurity compliance, CONTACT US at 800-314-4357 or info@VestigeLtd.com today.
By Jade Brown, BA, C|EH, GCTI
Vestige Digital Investigations
Follow Vestige on Linkedin