So, you have been told by an auditor that your security policies and other security documentation are out of date or non-existent.
“Okay, so let’s draft a two-page policy and tick that box”.
Such glib responses are all too common. This is definitely not an appropriate way to address your organisation’s risk-profile and enhance your security posture.
At the other extreme, some organisations become mired in the process. I’ve witnessed organisations take over 12 months, with multiple iterations, trying to develop security policies. There is a fear that comprehensive security policies will be too restrictive and crippling, even when taking into account the organisation’s specific requirements.
So, what exactly does security documentation consist of and what value does it add?
Some obvious documents include Agency Security Policies and Acceptable Use Policies. However, the spectrum of security documentation is far broader and can include standards, plans, policies, operational documentation and registers, and system specific documentation and registers.
Security documentation should be more than just rule-setting. Whilst it does help define the expectations of how people work, importantly it should also provide direction on how to get things done in a secure, consistent, and efficient manner.
The entire IT landscape, in particular the connected cyber world in which we all live, is changing rapidly. Developing, maintaining and actively using updated security documentation helps ensure staff are working securely. The right documentation is also a necessary precursor to ensure systems and information are appropriately secured. Documentation also keeps staff up to date with changes, itself a form of on the job training.
In today’s complex world, it is almost impossible to write concise, user-friendly policies and standards that meet every business need. It is therefore important that security documentation is drafted to meet most users’ needs for most of their daily activities. Exception handling processes should be available to ensure special circumstances are considered in a controlled and risk-based manner. Staff are more satisfied when most of their work can be undertaken seamlessly, so that whenever they have special requirements, those can be considered rather than just being told “no”.
Some documentation, such as incident response plans and in-depth procedures, may not be used frequently, however are equally important. When key subject matter experts are unavailable, or when things go wrong, there is usually still a focus on getting the job done quickly. Without the guidance of well thought out documentation, things can and do go wrong. In the rush to get things done, for example when restoring system availability after a cyber incident, it can be easy to lose forensic evidence, thereby hindering the ability to understand how the system was compromised. This means protective measures to stop future incidents cannot be put in place and it may be difficult to determine the full impact, such as knowing if sensitive information was stolen.
How Shearwater can help you?
When it comes to developing comprehensive security policies and documentation for your organisation, you need to get the balance right.
You need to ensure your policies have sufficient breadth and depth so they make a positive contribution to enhancing your organisation’s security. At the same time, they shouldn’t be so cumbersome that they hinder your operational performance.
With Shearwater’s security consultants, your organisation can be confident of getting the balance right. Our team of experts will analyse your business practices and assess your circumstances using a risk-based approach. We will work with you to ensure the security policies and documentation are appropriate and achieve the right outcomes for your organisation.
Contact us today on 1800 283 613 to discuss your needs with one of our consultants.