If your organization is having trouble creating policies, I hope that this blog post will help you set a clear path. We’ll discuss setting up your organization up for success by ensuring that you do not treat your policies as a “do once and forget” project. Many organizations I have worked with have done that, but later realized good policy lifecycle is required, and a pillar of good governance.
Organizations often feel that developing and enforcing policies is bureaucratic and tedious, but the importance of policies is often felt when your organization does not have them. Not only are they a cost of doing business, but they are also used to establish the foundation and norms of acquiring, operating, and securing technology and information assets.
The lifecycle, as it implies, should be iterative and continuous, and policies should be revisited at a regular cadence to ensure they remain relevant and deliver value to your business.
The first step is to find out where your organization is, this step should shine a light on where, and what gaps exist.
First, determine how you will be assessing your policies; here is a checklist, whether you are building new ones or bringing current ones up to date:
- Is it current and up to date
- Does it have a clear purpose or goal
- Does it have a clear scope (inclusions /exclusions)
- Does it have a clear ownership
- Does it have a clear list of affected people
- Does it have language that is easy to understand
- Is it detailed enough to avoid misinterpretations
- Does it follow the laws/regulations/ethical standards
- Does it reflect the organizational goals/values and culture
- Are key terms and acronyms defined
- Have related policies and procedures been identified
- Are there clear consequences for non-compliance
- Is it approved and supported by management
- Is it enforceable
Next, inventory your organization’s policies by listing them and then assessing the quality using the previous list. Based on the quality, identify if your organization needs new policies or if the existing ones need improvement, then determine the amount of work that will be required.
Best practices suggest that you may want to prioritize your efforts on the most significant improvements, those that focus on the most serious business vulnerabilities.
Understand that policy improvement does not end with a new policy document. You will need to plan for communications, training, process changes, and any technology improvements needed to make the policy fair and enforceable.
After the assessment is done, you should plan on developing your policies or revamping the old ones. Although there is no consensus on what makes a good policy, referenced material     suggests the following best practices, policies should have a clear purpose and precise presentation that drives compliance by eliminating misinterpretations;
All policies should include and describe the following:
- Glossary of terms
For maximum effect, policies should be written:
- With everyday language
- With direct and active voice
- Precisely to avoid misinterpretation
- Consistently in keeping with standards
Consider that policies need to be actively sold to the people who are supposed to follow them. You can achieve that by using a communication plan that includes:
- Goals and objectives
- Key messages
- Potential barriers
- Suggested actions
- Budget considerations
A lack of enforcement will create ethical, financial, and legal risks to any organization. Among the risks are loss of productivity due to abuse of privileges, potential wasted resources, and loss of reputation if an employee engages in illegal activities due to poor policy enforcement, which can lead to potential litigation. Make sure that you have clear rules of engagement.
Your organization should establish the proper support framework around Leadership, Process, and Monitoring. Policies should perform against standards. Policies don't always fail due to bad behavior; they fail because:
- They are poorly written
- There is no enforcement
- They are illegal or unethical
- They are poorly communicated
- They go against company culture
If your company feels overwhelmed thinking about all the moving pieces that make up an IT Policy Management Lifecycle. Let AT&T Cybersecurity Consulting help whether you need to amend existing policies, implement one or more brand new policies, or need a complete overhaul of the entire policy portfolio.
1) F. H. Alqahtani, "Developing an Information Security Policy: A Case Study Approach," Science Direct, vol. 124, pp. 691-697, 2017.
2) S. Diver, "SANS White Papers," SANS , 02 03 2004. [Online]. Available: https://www.sans.org/white-papers/1331/. [Accessed 15
3) S. V. Flowerday and T. Tuyikeze, "Information security policy development and implementation: The what, how, and who," Science Direct, vol. 61, pp. 169-183, 2016.
4) K. J. Knapp, R. F. Morris, T. E. Marshall and T. A. Byrd, "Information security policy: An Organizational level process model," Science Direct, vol. 28, no. 7, pp. 493-508, 2007.