Cybersecurity policies are key to the success of any cybersecurity, information security, GRC, or risk management program. Without these critical foundational documents, there is no effective way to document control requirements or assign associated responsibilities. This is likely to result in a lack of accountability for the personnel responsible for the implementation and ongoing management of required cybersecurity controls. An effective set of cybersecurity policies should set the cybersecurity tone for your organization and informs personnel of what is expected of them. Additionally, if these documents are not implemented, you will not be able to efficiently communicate the cybersecurity program controls that you have implemented to third parties (e.g., customers, partners) or independent assessors (e.g., auditors, examiners, regulatory entities). Any assessment of your organization’s cybersecurity program will be over before it starts without these must-have documents in place.
Cybersecurity policies should contain requirements derived from business strategy, business requirements, regulations, legislation, contracts, and information related to cybersecurity threats.
The responsibility for the development, review, and approval of cybersecurity program policies needs to be assigned to relevant personnel in accordance with their level or authority and competence. Policies must be reviewed at defined frequencies (e.g., at least annually) and when changes occur to:
Policies should be documented, approved, published, and communicated to all appropriate personnel. Recipients of the policies should be required to acknowledge that they understand and agree to comply with policy requirements. Acknowledgement requirements should be based on the roles or job functions of personnel. Because policies will change over time due to changing requirements, personnel should be required to acknowledge policies at a defined frequency (e.g., annually).
Free policy templates are available from the Internet. Just say no. Hundreds, if not thousands, of “free” policy templates are available via the Internet. The old saying of “you get what you pay for” is certainly appropriate for the cost of these policies. While these policies may effectively address a specific topic, they have not been designed to work in concert with other appropriate cybersecurity policies to address a complete framework of controls for your organization.
You may want to obtain policies from a trusted cybersecurity provider familiar with your organization or the control frameworks with which you are required to comply. These policies should be carefully crafted to ensure that every requirement associated with the controls your organization has adopted is effectively addressed. Another alternative may be to spend the time needed to develop your policies internally. While this option may take the most time, nobody knows your organization better than your internal personnel. It is highly encouraged to use a trusted security partner if you do not have an experienced policy writer on staff within your organization.
How many policies do I need (one versus 100)? Neither. If you have just one cybersecurity policy document, you are likely to miss something. You may miss including important content due to trying to pack everything into a single document, or (more importantly) you will lose your audience before they even begin reading the policy when they realize how long it is. Keep in mind, it may be that not every policy or associated control is appropriate for review by all personnel.
Each cybersecurity program policy will need to be reviewed at least annually. Each policy should be supported by an accompanying plan or procedures that also needs to be reviewed. You can see how this can quickly snowball out of control from the perspective of documentation management. Keep it simple! Account for every required control, but if you have more than 30 policies, you likely have too many.
If you create a single-topic policy for everything that needs to be addressed within your cybersecurity program, you could end up with 100 or more policies. Two things are likely to happen with that many policies: your personnel are going to acknowledge they have reviewed each policy when they have not, and someone will have to review and update 100 or more policies on an annual basis. It is unlikely that anyone has the time to read, review, and update that many policies.
Generally, developing a single dedicated policy for each control family adopted by your organization makes the most sense. For example, NIST Special Publication 800-171 has 14 control families. Developing a policy for each group of controls would result in 14 policies for your organization. Structuring your policies in this manner helps establish middle ground between one policy and 100 policies. It is important to keep the number of policies for your organization manageable. This helps to ensure that all appropriate personnel are reviewing and acknowledging the appropriate policies that are applicable to them, while your cybersecurity team has an appropriate number of policies to manage for your organization.
Developing a single policy for each dedicated control family or group of controls identified by the control framework adopted by your organization is a great way to structure your cybersecurity program controls. This will help support more efficient annual policy reviews, content updates, and policy acknowledgements for all personnel.
Cybersecurity program policy reviews, along with annual acknowledgements by all appropriate personnel, should not be difficult or burdensome. You want personnel to read the policies they need to review in order to support your cybersecurity program. That could be four policies for some personnel and perhaps ten policies for personnel with different roles. Defined personnel roles should be used to determine the policies that need to be reviewed and acknowledged by different types of personnel.
Consider this. Do your customer support personnel need to review a Third-Party Risk Management Policy on an annual basis? The executive leading that team should likely review the policy if they are involved in engaging any third parties to support the customer service function, but the front-line personnel are likely to gain very little value from reviewing this policy as it does not impact their daily job function.
Allow for feedback. Implement a process for individuals to provide feedback on cybersecurity policies, plans, and procedures. This should include any complaints or requests for changes to the cybersecurity controls, as well as the accompanying processes, that are documented for your organization. Changing the documentation for how a control is performed is acceptable as long as the intent of the control is not affected. Also, the disposition or actions taken based on feedback provided on security program controls should be documented. Recording the actions taken based on feedback received during management reviews of your security program is highly encouraged.
Implement a process for temporary control exceptions. It is unlikely that every user and every information system is going to be 100 percent compliant with every documented control 100 percent of the time. This is especially true when a new policy is implemented that contains controls that are being implemented for the first time within your organization. To account for the temporary exception to defined cybersecurity program controls, your organization should implement a process for managing temporary exceptions for individual cybersecurity controls.
Implement a process to manage exceptions that allows you to provide evidence that even partially implemented controls are being addressed and remediated. This not only provides a vehicle for managing remediation, but tracks continuous improvements as well.
An exception management process should be developed and implemented to manage the process of accommodating temporary exception requests. This process should address the tracking of remediation activities associated with exception requests. Exceptions should be temporary. They should be requested, reviewed, approved, and managed until appropriate remediation is completed, which leads to full control compliance. Approved exceptions should be integrated into risk management processes and any potential risk associated with an approved exception should be accepted by someone who is authorized to accept risk on behalf of your organization.
If you are just starting to consider creating a Cybersecurity program framework, or if you need to improve an existing one, our vCISO and Cybersecurity experts can help.