I was a GRC (Governance, Risk, and Compliance) person first and now I am a CISO (Chief Information Security Officer). It was 20 years ago, thereabouts, and I knew I wanted a change. I’d abandoned my goal of a career that I’d attended college for, technical theatre, and was working retail for a large, national company. A longer story for another time let me know that I wanted to get into computer security; specifically, I thought it would be digital forensics. The problem was that my full technical skills were novice-level so I needed to find a way to start getting into security, but how? (I can say now that my initial idea about the level of my skills being an impediment to getting started in a more technical role wrong was wrong.) It was when researching paths in security that I discovered there was a whole realm beyond the keyboard. GRC required detailed thought and process, being able to see the big picture, connecting the dots, and, most importantly, wasn’t really the hot space everyone was clamoring to get into then. If you let people in an organization know you were interested in learning the GRC work, they were more than happy to turn it over to you and let you learn to tackle the project. So with that in mind, I want to add my voice to those that advocate for strong, quality, policy.
I hear and see the same issues too many times. Organizations know that they need to have policies and that they’re necessary, but they don’t treat them as the tool that they are. They want to find some boilerplate template, do a find and replace to get their company name in there, and then call it done. Then, when they get audited and are asked to produce a specific policy, they just turn it over and mark the checklist done. This is, in fact, the worst way to do policy and the main reason so many organizations have policies that are useless, awful, and create a lot more liability than they reduce. Your policies should be specific to you, speak to your values, and be far more simpler than many think.
I used to think that policy needed to cover every component in explicit detail. The more I read and learned, the more it seemed that was inaccurate. But it was the way so many organizations went about it, how so many boilerplate templates online were written. The best example I ever heard about good policy came from a member of our GRC Slack. He always highlights the dress code policy at GM, which for years was simply, “dress appropriately.” Not every policy can be this concise, obviously. But it is a prime example of what a policy should be at its core. Simple and to the point, speaking to the mission and values that leadership has put forth. If we take that GM dress code policy and make it look more like the online templates and policies we’ve seen at many companies, it would likely go for pages. How middle management should dress, how factory workers should, it would likely include a further breakdown at each of those divisions/levels, setting what was appropriate for men and what was appropriate for women. So many organizations like to talk about their culture. A policy that is so simple as “dress appropriately” lets you gauge how good your culture is and how well-understood it is by the people in the organization. “Appropriate” can be subjective. But if all people are working from the same “cultural” perspective, then the variations are likely minimal. Few people will show up to their job in inappropriate dress. The culture is strong, and they feel a sense of belonging to that culture, so they are able to determine what “appropriate” looks like.
A policy can be given to any business leader of an organization and it should allow them to set their own standards, processes, and initiate projects that speak to those policies, and that mission. Let’s take a simple, common policy item and work it through. Ownership determines that they do not want staff accessing their personal email accounts from the corporate environment. There are various elements of risk that personal email access creates, which have been reviewed and presented to ownership. After consideration, it makes the most sense from a business risk case to have a policy against accessing email. All you need to have in the policy is something akin to, “it is corporate policy that personal email, i.e., Gmail, Hotmail, Yahoo, et al, may not be accessed from corporate assets, including workstations, servers, networks, and mobile devices provided by the organization to an employee.” That’s it, that’s all that’s needed. It doesn’t say that we have to put the following controls in place to prevent access; just that the policy is you may not access personal mail from corporate assets. Simple, straightforward, and doesn’t leave room for interpretation. One of the reasons that you don’t want your policy to get too detailed is that policy sign-off and approval should flow through senior leadership. Policies should be reviewed annually at least. When it comes down to it, there should be a bit more of a process that needs to be followed to get new or amended policies approved and implemented. This doesn’t mean that we can’t adapt the rest of our organization on the fly, so to speak. Standards that are referenced by policies are where we can provide more detail and information about how we’re ensuring policy is met. The approval for them is usually less formal.
Stay with the personal email policy. Now let’s take it through to where it can go, providing a sense of ownership to our department leaders. Our IT Director can see the policy and realize that there’s a simple way to adhere to the policy, strengthen security, and cut down on nuisance helpdesk tickets. They block access to all personal webmail sites. It can be at the firewall or at the endpoints specifically; the point is the IT Director can determine what works best. That’s it, that’s all they need. Now it’s a part of their standards, which goes into their standard configuration documents. People will still want access to their webmail but the IT Director also knows everyone has a personal mobile device that has an app for that email program. To keep staff happy and avoid having them find a way around the controls they’ve implemented, they set up a separate wireless network so any staff member can connect a personal device to it. There is also a block on corporate endpoints so they can’t join that wireless network. In order to create that wireless network, the IT Director gets with their Network Administrator. The Network Administrator points out that if they’re going to create one separate network, why not segment the internal, corporate networks too? The entire infrastructure has its security posture strengthened and hardly any of it is in a policy.
That policy sets the tone for standards, processes, and guidelines. Each department can craft its own, knowing that all they really need to do is ensure that they are putting in items that speak to the policy, which is there to help convey the overall corporate mission. If we set an expectation that we want each of these components of our organization to be properly documented, then compliance, from a variety of perspectives, begins to fall into place with minimal additional action. I recommend establishing templates for the various types of documents you expect to have. Once that is established, you make it much easier for the documentation to be current and accurate. If you require documentation and/or its review as a required step for the official conclusion of any change project or upgrade, you will be enforcing your governance and compliance via covert process requirements. This absolves you of the issue that so commonly occurs at organizations when they choose, or need, to go through an audit, especially for certification or accreditation.
Strong policies provide the cornerstone for the rest of the documentation that you’ll need, or require, from all departments within your organization. It will go towards clarity of mission, help realize the corporate culture you wish to create, and provide the north star by which all aspects of your organization will be able to use as their compass. Policy creation and maintenance is not a task to be viewed as a burden. It is an opportunity to set yourself apart.