Get Instant Access
to This Blueprint

Security icon

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities and compliance requirements, are rarely comprehensive, and are inefficient to revise and maintain.
  • End users do not traditionally comply with security policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference in daily workflow.

Our Advice

Critical Insight

  • Policies must be reasonable, auditable, enforceable, and measureable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies to be quantified and qualified for them to be relevant.
  • No published framework is a perfect fit for your organization. One framework (or several) may provide useful guidance in developing your policy suite. From there, figure out what policy items apply to your organization and customize the documents. Otherwise, the policies won’t be enforceable.

Impact and Result

  • Short term: Save time and money using the templates provided to create your own customized security policies mapped to ISO 27001 and NIST standards.
  • Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures.

Develop and Deploy Security Policies

1. Security Policies Research – A step-by-step document to help you build and implement your security policy program.

Our systematic approach will ensure that all relevant areas of security have an associated policy. The three-phase methodology will help you formalize the security policy program, develop the policy suite, and implement the security policy program.

2. Security Policy Prioritization Tool – A structured tool to help your organization prioritize your policy suite to ensure that you are addressing the most important policies first.

The Security Policy Prioritization Tool assesses the policy suite on policy importance, ease to implement, and ease to enforce. The output of this tool is your prioritized list of policies based on our policy framework.

3. Information Security Policy Charter Template – A customizable charter template to govern your security policy initiatives.

The Charter includes sections on security vision, security mission, strategic security and policy objectives, roles and responsibilities for developing security policies, and organizational responsibilities.

5. Policy Communication Plan Template – A template to help you plan your approach for publishing and communicating your policy updates across the entire organization.

This template helps you consider the budget time for communications, identify all stakeholders, and avoid scheduling communications in competition with one another.

6. Security Culture Maturity Assessment and Content Development Tool – A structured tool to assess the current maturity of the security culture within your organization and determine the urgency and priority of different topics that end users will need training on.

This tool will help you aggregate quiz scores and assess the organization’s knowledge level across different topic areas; evaluate the current maturity level of the human-centric security program and determine a suitable target state; and determine the urgency of training topics towards end users and use this information to determine the priority of when these topics need to get out to the audience groups. This tool will essentially help identify the gaps and initiatives needed to build an entire human-centric security program.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.6/10


Overall Impact

$12,882


Average $ Saved

21


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Cross Insurance

Guided Implementation

8/10

N/A

2

Caribbean Public Health Agency

Guided Implementation

10/10

$12,399

50

Fernco Inc

Guided Implementation

10/10

$30,999

35

Omya (Schweiz) AG

Guided Implementation

10/10

N/A

10

Corix Infrastructure Inc.

Guided Implementation

9/10

$11,500

10

Centrastate Healthcare Systems

Guided Implementation

10/10

$7,439

35

Digital Armour Corporation

Guided Implementation

10/10

$4,959

2

Simcoe Muskoka Catholic District School Board

Guided Implementation

10/10

$10,000

20

Human Resources Professionals Association

Guided Implementation

10/10

$23,500

60

GSW Manufacturing

Guided Implementation

8/10

$4,959

6

Fernco Inc

Guided Implementation

10/10

N/A

10

STgenetics

Guided Implementation

10/10

N/A

10

University of Maribor

Guided Implementation

10/10

$1,800

2

MSS Business Transformation Advisory, Inc.

Guided Implementation

10/10

$12,395

10

Virginia Department of the Treasury

Guided Implementation

10/10

$1,800

50

City Of Issaquah

Guided Implementation

10/10

$31,940

120

College of the Ozarks

Guided Implementation

9/10

$10,000

50

Saskatchewan Blue Cross

Guided Implementation

10/10

$23,500

10

Ovivo Water

Guided Implementation

8/10

$5,000

5

Concordia University

Guided Implementation

9/10

$5,000

5

Florida State College at Jacksonville

Guided Implementation

10/10

$12,776

60

City of Fort Pierce

Guided Implementation

10/10

N/A

110

The Little Potato Company

Guided Implementation

9/10

N/A

N/A

Saskatchewan Blue Cross

Guided Implementation

10/10

$25,000

20

City of Springfield

Guided Implementation

10/10

N/A

N/A

City of Alexandria, VA

Guided Implementation

10/10

N/A

N/A

City of Springfield

Guided Implementation

10/10

N/A

120

Edgecombe County

Guided Implementation

10/10

N/A

120

Roosevelt Management Company

Guided Implementation

10/10

$20,373

10

Lee County Clerk of Courts

Guided Implementation

10/10

N/A

N/A


Onsite Workshop: Develop and Deploy Security Policies

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Formalize the Policy Program

The Purpose

  • Determine which security policies are necessary to meet your requirements, and obtain recommendations on how to optimize the development.
  • Acquire executive support for the new security policies.
  • Formalize a governing security policy charter.

Key Benefits Achieved

  • Be able to defend the framework and policies written based on business requirements and overarching security needs.
  • Leveraging an executive champion to advocate for the program can help policy adoption across the organization.
  • Formalize the roles, responsibilities, and overall mission of the program.

Activities

Outputs

1.1

Understand the current state of policies

  • Understanding of the current state of policies.
1.2

Right-size your policy suite.

  • Right-sized policy suite
1.3

Understand the relationship between policies and other documents.

  • Defined policy structure for your suite
1.4

Define the policy framework.

  • Defined policy framework
1.5

Prioritize the development of security policies.

  • Prioritized list of security policies
1.6

Discuss strategies to leverage stakeholder support.

  • Action plan to engage stakeholder champion
1.7

Plan to communicate with all stakeholders.

  • Action plan for communication policy program plan with stakeholders
1.8

Develop the security policy charter.

  • Security Policy Charter

Module 2: Develop the Security Policies

The Purpose

Develop a comprehensive suite of security policies that are relevant to the needs of the organization.

Key Benefits Achieved

Time, effort, and money saved by developing formally documented security policies with input from Info-Tech’s subject-matter experts.

Activities

Outputs

2.1

Discuss risks and drivers your organization faces that must be addressed by policies.

  • Understanding of the risks and drivers that will influence policy
2.2

Develop and customize security policies.

  • Up to 14 customized security policies (dependent on need and time)
2.3

Develop a plan to gather feedback from users.

  • Discussed action plan to assess policy feasibility with user group

Module 3: Implement the Security Policy Program

The Purpose

  • Ensure policies and requirements are communicated with end users, along with steps to comply with the new security policies.
  • Improve compliance and accountability with security policies.
  • Plan for regular review and maintenance of the security policy program.

Key Benefits Achieved

  • Streamlined communication of the policies to users.
  • Comply with rules and regulations and be better prepared for audits.
  • Incorporate security policies into daily schedule, eliminating disturbances to productivity and efficiency.

Activities

Outputs

3.1

Plan the communication strategy of new policies.

  • Discussed action plan to communicate the policies with end users
3.2

Discuss myPolicies to automate management and implementation.

  • Understanding of how myPolicies can help policy management and implementation
3.3

Use the design-build-implement framework to build your communication channels.

  • Policy Communication Plan
3.4

Incorporate policies and processes into your training and awareness programs.

  • Action plan to incorporate policies into the security training and awareness programs
3.5

Measure the effectiveness of security policies.

  • Metrics and plans to measure the effectiveness of the program
3.6

Understand the need for regular review and update.

  • Action plan to regularly review and update the policies

Develop and Deploy Security Policies

Enhance your overall security posture with a defensible and prescriptive policy suite.

Many companies have security policies, but drop the ball at later stages of the process

The real challenge with respect to security policies isn’t development – rather it’s the communication, enforcement, and maintenance of them.

Image displayed has four circle graphs. The one on the top is labelled: 86% of companies have security policies...But... The second circle graph is labelled: Only 40% of non-IT employees are aware of these policies. The third circle graph is labelled: 46% of companies reported insufficient time and resources to update or implement policies. The fourth circle graph at the bottom is labelled: 77% of IT professionals believe their policies need improvement and updating.

Source: Kaspersky, Global Corporate IT Security Risks, 2013

A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.

The policy allows employees to know what is required of them and allows management to monitor and audit their security practices against a standard policy.

Formally documented policies are often required for compliance with regulations.

The development of the policy documents is an ambitious task, but the real challenge comes later in the process.

Unless the policies are effectively communicated, enforced, and updated employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless.

The value of security policies can be found beyond just increasing security

This blueprint applies to you whether your needs are developing policies from scratch or optimizing and updating your security posture.

Value of developing security policies:

  • Enhanced overall security posture: fewer security incidents and more uptime of applications, as issues are pre-emptively avoided.
  • Better prepared for auditing and compliance requirements.
  • Increased operational efficiency.
  • Increased accountability.

Value of Info-Tech’s security policy blueprint:

  • Pre-made templates (based on best practices and our experience).
  • Comprehensive process surrounding policy development.
  • Strategy around effective communication and enforcement of policies.
  • Opportunity to work with an analyst to guarantee policy quality.
Impact

Short term: Save time and money using the templates provided to create your own customized security policies.

Long term: After the initial policy development, minimal updates will be required to ensure the policy remains up to date. Long-term maintenance and compliance of the policy will ensure legal and corporate satisfaction of security measures.

Security policies are essential to every-sized organization

Your policy requirements may differ, but the general drive is more security.

Security policies are applicable to all verticals. The following industries are notable examples:

  • Finance
  • Insurance
  • Healthcare
  • Public administration
  • Education services
  • Professional services
  • Scientific and technical services

Info-Tech Insight

Policy is the link between people, process, and technology for any size of organization. Small organizations may think that having formal policies in place is not necessary for their operations, but compliance is applicable to all organizations and vulnerabilities affect all sizes as well. Small organizations partnering with clients or other organizations are sometimes viewed as ideal proxies for attackers.

If your organization has any compliance requirements, security policies can be mandatory.

Compliance Standard Examples Description
PCI DSS
  • Implement strong access control measures.
  • Regularly monitor and test networks.
Gramm-Leach-Bliley Act (GLBA)
  • Financial institutions must provide customers with notice of their privacy policies.
  • Financial institutions must safeguard the security and confidentiality of customer information.
HIPAA
  • Protects the privacy of individually identifiable health information.
  • Sets standards for the security of electronic protected health information.

Measured value for Guided Implementations

Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

GI Purpose Measured Value (estimated)
Phase 1: Formalize the security policy program

Understand the value in formal security policies and focus on the business requirements to determine which policies to prepare to update, eliminate, or add to your current suite.

Conduct an analysis to prioritize the development of your policies suite.

Time, value, and resources saved using our processes: 1 FTE*3 days*$80,000/year= $960

Time, value, and resources saved using our recommendations and tools: 1 FTE*2 days*$80,000/year = $640

Phase 2: Develop the policy suite Using Info-Tech’s extensive policy template offering, choose which policies you need to optimize or add to and work to customize them to your requirements. Time, value, and resources saved using our templates: 1 consultant*15 days*$150/hour = $18,000 (if starting from scratch)
Phase 3: Implement the security policy program Use Info-Tech’s methodology and best practices to ensure proper communication, management, measurement, and continuous maintenance and review of your policy suite.

Time, value, and resources saved using our training and awareness resources: 1 FTE*1.5 days*$80,000/year = $340

Time, value, and resources saved by using our enforcement recommendations: 2 FTEs*5 days*$160,000/year combined = $3,200

Time, value, and resources saved by using our recommendations rather than bringing in an external consultant for review: 1 consultant*5 days*$150/hour = $6,000

Total: Total measured value for implementing Info-Tech’s processes for developing and deploying your security policies. $29,000+

ANALYST PERSPECTIVE

A poorly implemented policy can be worse than no policy at all.

"A policy for policy’s sake is useless if it isn’t being used to ensure proper processes are followed. A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant.

Policies should be developed based on the use cases that enable the business to run securely and smoothly. Ensure they are aligned with the corporate culture and rather than introducing hindrances to daily operations they should reflect security practices that support business goals and protection.

No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep your organization secure. "

Céline Gravelines,

Research Manager, Security, Risk & Compliance

Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

  • A security manager who is dealing with the following:
    • Informal, ad hoc security policies (if any).
    • Lack of compliance and accountability with current policies.
    • Out-of-date and irrelevant policies.
    • Preparing for an audit of security policies.

This Research Will Help You:

  • Identify and develop security policies that are essential to your organization’s objectives.
  • Verify and optimize proposed policies.
  • Integrate security into your corporate culture while maximizing compliance and the effectiveness of the security policies.
  • Maintain and update the policies as needed.

This Research Will Also Assist:

  • Business stakeholders who are responsible for the following:
    • Ensuring efficiency and productivity are not affected by integrating additional security policies into the daily routine of employees.
    • End users acquiring awareness and training on security policies to protect corporate assets.

This Research Will Help Them:

  • Save time and money in developing and deploying an effective security policy by using templates to minimize security risks.
  • Effectively communicate and train users on complying with new security policies.

Executive summary

Situation

  • Security breaches are inevitable and costly. Standard policies and procedures must be in place to limit the likelihood of occurrences and ensure there are processes to deal with issues efficiently and effectively.
  • Time and money are wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy.

Complication

  • Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities and compliance requirements, are rarely comprehensive, and are inefficient to revise and maintain.
  • End users do not traditionally comply with security policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
  • Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow.

Resolution

  • Comprehensively developed and effectively deployed security policies enable IT professionals to work proactively rather than reactively, benefitting the entire organization, not only IT. Formally documented and enforced policies are key to demonstrate due diligence, proactive threat reduction, and overall compliance consistency.

Info-Tech Insight

  1. Policies must be reasonable, auditable, enforceable, and measurable. If the policy items don’t meet these requirements, users can’t be expected to adhere to them. Focus on developing policies that are quantified and qualified in order to be relevant.
  2. No published framework is a perfect fit for your organization. One (or several) frameworks may provide useful guidance in developing your policy suite. From there, figure out what policy items apply to your organization and customize the documents. Otherwise, the policies won’t be enforceable.

Case study: A small digital marketing company needed to learn value of full-circle policy development and enforcement

Industry: Marketing

Source: Info-Tech Research Group

The organization began its policy strategy by acknowledging the need to formalize.

Challenges

  • “You don’t know what you don’t know.” The director of infrastructure was unsure of where to start with developing the organization’s formal information security policies, what the current state of policies was, or which kind of gaps needed to be filled with policies.
  • The organization also needed to be able to demonstrate to customers that it had proper security procedures in place to protect their data.

Next Steps:

  • Determine what policies the organization has and what gaps need to be filled.
  • Understand how to improve overall security policy strategy, with accompanying processes, to come full circle with implementing better security practices in general.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Develop and Deploy Security Policies

1. Formalize the security policy program

2. Develop the policy suite

3. Implement the security policy program

Best-Practice Toolkit

1.1 Understand the current state of policies.

1.2 Right-size your policy suite.

1.3 Understand the relationship between policies, standards, procedures, and guidelines.

1.4 Define the policy framework.

1.5 Prioritize the development of security policies.

1.6 Leverage stakeholders to champion security policies.

1.7 Inform stakeholders of the policy initiative.

1.8 Develop the security policy charter.

2.1 Customize your prioritized templates to develop your new policies.

2.2 Gather feedback from users to assess the feasibility of the new policies.

2.3 Submit policies to upper management for approval.

3.1 Understand the need for communication.

3.2 Use myPolicies to automate management and implementation.

3.3 Use the design-build-implement framework to build your communication channels.

3.4 Incorporate policies and processes into your training and awareness programs.

3.5 Measure the effectiveness of security policies.

3.6 Understand the need for regular review and update.

Guided Implementations

  • Understand policy needs and begin policy charter.
  • Review charter and prioritize policy development.
  • Formalize stakeholder support.
  • Customize the policy templates.
  • Gather feedback on the policies and get approval.
  • Communicate the security policy program.
  • Formalize program maintenance.

Onsite Workshop

Module 1:

Formalize the security policy suite

Module 2:

Develop the policy suite

Module 3:

Implement the security policy program

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Workshop Day 1

Workshop Day 2

Workshop Day 3

Workshop Day 4

Workshop Day 5

Activities

Formalize the policy program

1.1 Understand the current state of policies.

1.2 Right-size your policy suite.

1.3 Understand the relationship between policies and other documents.

1.4 Define the policy framework.

1.5 Prioritize the development of security policies.

1.6 Discuss strategies to leverage stakeholder support.

1.7 Plan to communicate with all stakeholders.

1.8 Develop the security policy charter.

Develop the security policies

2.1 Discuss the risks and drivers your organization faces that must be addressed by policies.

2.2 Develop and customize security policies/

Develop the security policies

2.1 Discuss the risks and drivers your organization faces that must be addressed by policies (continued).

2.2 Develop and customize security policies (continued).

2.3 Develop a plan to gather feedback from users.

2.4 Discuss a plan to submit policies for approval.

Develop the implementation plan

3.1 Manage policy implementation.

3.2 Plan the communication strategy of new policies.

3.3 Discuss myPolicies to automate management and implementation.

3.4 Use the design-build-implement framework to build your communication channels.

3.5 Incorporate policies and processes into your training and awareness programs.

3.6 Measure the effectiveness of security policies.

3.7 Understand the need for regular review and update.

Finalize deliverables and next steps

Review customized charter and policy templates.

Discuss the plan for policy rollout.

Schedule follow-up Guided Implementation calls.

Deliverables

1. Security Policy Prioritization Tool

2. Security Policy Charter

1. Security Policies (approx. 7)

1. Security Policies (approx. 7)

1. Policy Communication Plan Template

2. Security Culture Maturity Assessment and Content Development Tool

1. All deliverables finalized

Phase 1

Formalize the Security Policy Program

This phase will walk you through the following activities:

  • Understand the current state of your organization’s security policies.
  • Right-size your policy suite to launch a culture of compliance.
  • Understand the relationship between policies and procedures and the policy hierarchy.
  • Define your policy framework in relation to Info-Tech’s recommended framework.
  • Prioritize the development of your security policies.
  • Leverage key stakeholders to champion the policy initiative.
  • Inform all relevant stakeholders of the upcoming policy program.
  • Develop the security policy charter.

Outcomes of this phase

  • A policy framework for the security policy program.
  • A prioritized list of relevant policies to develop.
  • Stakeholder support and awareness of the program.
  • A customized security policy charter.

Phase 1 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Formalize the Security Policy Program

Proposed Time to Completion: 1-2 weeks

Understand Policy Needs and Begin Policy Charter

Start with an analyst kick-off call:

  • Set expectations and the purpose for the project.
  • Discuss the specific business and security needs, as well as pain points.
  • Introduce policy charter requirements.

With these tools & templates:

  • Security Policy Charter

Review Charter and Prioritize Policy Development

Review findings with analyst:

  • Review the customized security policy charter.
  • Introduce the tool and factors required to effectively prioritize the development of security policies.

With these tools & templates:

  • Security Policy Prioritization Tool

Formalize Stakeholder Support

Finalize phase deliverable:

  • Discuss the value of assigning an executive champion for the policy program.
  • Define a plan for communicating the program with all relevant stakeholders.

With these tools & templates:

  • Security Policy Charter

Phase 1 Results & Insights:

  • Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.
  • Each policy should be a unique living document that is continually iterating. Each version includes language that remains abstract in nature in order to be adapted at the procedural level.

1.1 Understand the current state of policies

Each organization will begin working on their security policies from a position of Scenario 1 or 2.

Scenario 1: You have existing policies

  • Policies are living, evolving documents that require regular review and update, so even if you have policies already written, you’re not done with them.
  • Use the Security Policy Prioritization Tool to identify any gaps between the policies you already have and those recommended based on your changing business needs.
  • Schedule a Guided Implementation with an Info-Tech analyst to review your current documents and offer advice.
  • As your organization undergoes changes, be sure to incorporate new requirements in the existing policies.
  • Sometimes, you may have more specific procedures for a domain’s individual security aspects instead of high-level policies.
  • Group current policies into the domains and use the policy templates to create overarching policies where there are none and improve upon existing high-level policies.
    • Now that you have a better idea of the details within each domain, you can continue creating policies as per your requirements, while maintaining connections to best-practice standards.

Scenario 2: You are starting from scratch

  • To get started on new policies, use the Security Policy Prioritization Tool to identify the policies Info-Tech recommends based on your business needs. See the full list of templates in the Appendix to ensure that all relevant topics are addressed.
  • Whether you’re starting from scratch or have incomplete/ad hoc policies, use Info-Tech’s policy templates to formalize and standardize security requirements for end users.

Info-Tech Best Practice

Take advantage of your Info-Tech advisory membership by scheduling review sessions with an analyst. We can provide high-level feedback to ensure your policies are clear, concise, and consistent, while providing adequate coverage of the security domains often overlooked by general end users.

1.2 Right-size your policy suite to launch a culture of compliance

You have an opportunity to improve your employee alignment and satisfaction, improve organizational agility, and obtain high policy adherence. This is achieved by translating your corporate culture into a policy-based compliance culture.

A compliance culture is a component of an overall corporate culture where elements of company culture are embedded in policy.

A circle graph is displayed. It is labelled: 40% of organizations rated training employees on policies as one of their top three policy management challenges.

Align your security policies to NIST Special Publication 800-171 by utilizing Info-Tech’s policy templates.

Source: NAVEX Global, “2016 Ethics & Compliance Policy Management Benchmark Report”

Example of NIST Special Publication 800-171.

Source: NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

1.3 Understand the relationships between policies, standards, procedures, and guidelines

A model is depicted to define policy, standard, and guideline, and the relationship between them.

Understand the hierarchy of the policy suite

Structuring policy components at different levels allows for efficient changes and direct communication depending on what information is needed.

Image depicts a model to show the hierarchy of the policy suite. The image is a triangle that has been divided into three tiers horizontally. In the bottom tier it is labelled: IT and/or Security Procedures. The middle tier is labelled: Security Policies. In the top tier it is labelled: Security Policy Charter. Each tier includes a description on the outside of the triangle.

Info-Tech Best Practice

Design separate policies for different areas of focus. Policies that are written as single, monolithic documents are resistant to change. A hierarchical top-level document supported by subordinate policies and/or procedures can be more rapidly revised as circumstances change.

1.4 Define the policy framework

Governance documents for IT and the security program have an intertwined relationship.

The image is a model to show the intertwined relationship between the IT Department Charter, Security Program Charter, IT Policy Charter, and Security Charter.

Align your policies to NIST Special Publication 800-171:

Why does it matter?

Customizing Info-Tech’s policy framework allows your organization to align your policy suite to NIST 800-171. Given NIST’s requirements for the control of confidential information, organizations that align their policies to the Bureau’s standards will be in the best governance position.

Model of Security Charter in relation to policy framework

Info-Tech Insight

Differentiate between a “living document” policy and a procedure. Each policy should be a unique living document that is continually iterating. Each version includes language that remains abstract in nature in order to be adapted at the procedural level.

Align your procedures with Info-Tech’s policy framework

Associated Procedures:

Model of Security Charter and the associated procedures

1.5 Prioritize development of security policies

Info-Tech’s policies don’t require a top-down approach. Instead, define the order of policy creation by considering the following criteria:

  1. Importance: How relevant is this policy to organizational security?
  2. Ease to Implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?
  3. Ease to Enforce: How much effort, time, and resources are required to enforce the policy?

Align policies to recent security concerns. If your organization has recently experienced a breach it may be crucial to highlight corresponding policies as immediately necessary.

Info-Tech Best Practice

If you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies.

Activity 1.5: Use Info-Tech’s Security Policy Prioritization Tool to prioritize your security policies

Estimated Time: 60 minutes

The Info-Tech Security Policy Prioritization Tool will help you determine which security policies to work on first.

  • The tool allows you to prioritize your policies based on importance, ease to implement, and ease to enforce.
  • Additionally, the weighting or priority of each variable of prioritization can be adjusted.

Importance: How relevant is this policy to organizational security?

Ease to Implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?

Ease to Enforce: How much effort, time, and resources are required to enforce the policy?

There are three screenshots of Info-Tech's Security Policy Prioritization Tool

Case Study: Director of infrastructure culled from past policies to create a new portfolio

Industry: Marketing

Source: Info-Tech Research Group

See the organization deal with policy enforcement in Phase 3.

Borrowing policies from a previous job gave his current organization a starting point.

Solution

  • The infrastructure director leveraged policy templates from his previous position within a government facility.
    • Examples:
      • Disaster Recovery
      • Document Retention
      • Information Systems Security Incident Response

Additional Challenges

  • The organization’s policy selection/development strategy is ad hoc at best. Mapping policies to standards like NIST or ISO helps ensure comprehensive coverage.
  • The organization still needed to determine how best to deploy the policies internally, communicating and enforcing them. Policies are just paper otherwise.

Next Steps:

  • Establish a strategy to formalize deployment of policies.
  • Determine methods to measure the effectiveness of the policies on the organization’s overall security practices.

1.6 Leverage stakeholders to champion security policies

First Step: Identify an executive champion who will ensure that the security program and the security policies are supported.

An executive champion: An executive champion is a member of the executive team who is not inherently part of the IT department, but who will lead and support the program at a high level.

Additional Action: Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders.

Image is an outline of a person with a speech bubble: I read in the news that there was a breach yesterday.

Info-Tech Insight

Use FUD sparingly. Excessive use of fear, uncertainty, and doubt can create paranoia within your organization. Instead, when applicable, send recent breach reports as a reminder to update policies.

1.7 Inform stakeholders of the policy initiative

Security policies are only effective if they support the business requirements. User input is crucial for developing a strong security culture.

  • Management buy-in is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable.
  • Buy-in is not just approval and funding, but also the championing of adoption – this says not just “we approve” but also “we will adhere and enforce.” Implementation must be seen to be top-down, not bottom-up.
  • Put security in terms of risk and protection: security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate.
  • When developing policies, consider:
    • The business objectives
    • Corporate assets to protect
    • Risks/threats to the assets and objectives
    • The audience of the policy

Purpose of a security policy to management:

  • Support the business.
  • Defend the business.

Info-Tech Insight

While management support is essential to initiating a strong security posture, allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will be less of a police force and more of a partner.

1.8 Develop the security policy charter

The security policy charter is an integral component of policy development.

Policy Chart Value:

  • Defines roles and responsibilities for the security policy suite.
  • Aligns the business goals, security program goals, and policy objectives.
  • Dictates the direction of the entire policy suite.

A model is displayed to show how security program vision & mission, business strategic goals, and defined security policy roles & responsibilities relate to the security policies charter

Info-Tech Insight

Policy is the link between people, process, and technology (P-P-T) for any size of organization. The policy charter defines this link. Individual policies will align P-P-T, however, the charter will clarify the policies’ relationship, both with each other and the organization.

Activity 1.8: Develop the security policy charter

Estimated Time: 60 minutes

Steps:

  1. Review the sections within the policy charter template. Begin by customizing any grey text to organization-specific information or details. Delete any sections or subsections that do not apply to your IT department.
  2. Solicit feedback on the charter from stakeholders, specifically, IT department management and business stakeholders. Ensure that all business goals are outlined and complementary IT objectives have been identified.
  3. As necessary, modify the charter and receive approved sign-off by your organization’s leadership.

Validate the policy suite ownership and responsibility by asking management to review and sign-off on your policy charter.

Screenshot of Info-Tech's Information Security Charter

Input

  • Business, IT, and Security insight

Output

  • Security policy charter statements

Materials

  • Note-taking materials

Participants

  • Identified stakeholders

Record your results in Info-Tech’s Information Security Policy Charter Template.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team

Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops.

Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office.

We take you through every phase of your project and ensure that you have a plan in place to successfully complete your project.

Picture of Rita Zurbrigg

Rita Zurbrigg

Consulting Analyst – Security, Risk & Compliance

Info-Tech Research Group

Picture of Céline Gravelines

Céline Gravelines

Research Manager – Security, Risk & Compliance

Info-Tech Research Group

Picture of Jessica Ireland

Jessica Ireland

Associate Director – Security, Risk & Compliance

Info-Tech Research Group

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Phase 2

Develop the policy suite

This phase will walk you through the following activities:

  • Customize your prioritized policy templates to develop the suite.
  • Ensure clarity, consistency, and brevity are incorporated into the policy development.
  • Gather and incorporate feedback from users to ensure feasibility of the policy program.
  • Get approval for the new security policies.

Outcomes of this Phase

  • Completed and customized security policies, aligning with the NIST SP 800-171.
  • Feedback from users on the usability and feasibility of the policies to incorporate into the final drafts.
  • Approval from key groups to get the policies implemented at an organizational level.

Phase 2 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Develop the policy suite

Proposed Time to Completion: 2-4 weeks

Customize the Policy Templates

Get started on developing the suite:

  • Based on the prioritized list of policies, begin customizing the most relevant policies.
  • Ensure the documents reflect your organizational needs.

With these tools & templates:

  • Security Policy Templates, aligned with NIST SP 800-171

Gather Feedback on the Policies and Get Approval

Review findings with analyst:

  • After submitting draft policies for review, discuss feedback to ensure the documents are relevant to your environment.
  • Make adjustments to the documents as necessary.
  • Discuss the benefits of developing a “focus group” to ensure feasibility with different user groups.
  • Submit documents to management for approval.

With these tools & templates:

  • Security Policy Templates, aligned with NIST SP 800-171

Phase 2 Results & Insights:

  • As technology and processes change, keep policy management simple by defining the policies as general high-level requirements that can stand the test of time, while procedures can be more easily updated without strict approval requirements.
  • Allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies and less resistance. The security team will be less of a police force and more of a partner.

2.1 Customize your prioritized templates to develop your new policies

There are six screenshots of Info-Tech's policy templates.

Info-Tech Best Practice

Consistency is king. Use Info-Tech’s NIST aligned templates to ensure that all policies are standardized. For any previously developed policies, use Info-Tech’s Policy Template .

Use the three Cs to create easy-to-follow policies

Policies are essential governance tools that create transparency and set expectations. Successfully drafted policies adhere to the three Cs of effective policy documentation.

  1. Be clear. Make it as easy as possible for a user to learn how to comply with your policy.
  2. Be consistent. Write policies that complement each other, not contradict each other.
  3. Be concise. Make it as quick and easy as possible to read and understand your policy.
A model is displayed. There are four circles, with three in a circle and one circle in the middle. In the middle circle: Effective policies. In the three outside circles they are labelled: Clear, Concise, and Consistent

Use the three Cs: Be clear

Your employees need to understand your policy in order to comply with it. Start by writing your policy with the goal of making compliance as straightforward as possible. Then, use simple, softer language to convey your intentions and rationale to your employees. The more your employees can understand and empathize with business needs, the more they will adhere to your policy.

  • Choose a clear writer: Choose a writer who is skilled in explaining complicated tasks in plain English.
  • Define key terms. Before writing the main text, define all terms you will use in the document.
  • Default to simple language. If you have to use technical terminology to describe a task, make sure you clearly define your terms upfront.
  • Use active language. Since the goal of policy and procedure documentation is to direct behavior, active language will ensure that the documents read as such.
  • Use soft language where possible. You don’t want to be perceived as “the police” – you want employees to understand why you’re asking them to do this.
  • State the rule. From the perspective of the employee, it is much easier to understand a policy if the purpose and goals of the document are clearly stated.
  • Be prescriptive or directive. Your policy should either explicitly refer to an approved procedure or recommend a course of action for compliance.
  • Note exceptions. Define grey areas not covered explicitly in the policy. This will leave less room for interpretation, minimize deviation from the desired course of action, and increase compliance.

Info-Tech Insight

Highly effective policies are written without a technical audience in mind. Your policies should be “skimmable.” Very few people will fully read a policy before accepting it. Make it obvious where and when a policy applies so that when an employee needs to read a policy in detail, they will know where to find the information they need from their skim.

Use the three Cs: Be consistent

Ensure that policies are aligned with other organizational policies and procedures. It detracts from compliance if different policies prescribe different behavior in the same situation. Moreover, your policies should reflect the corporate culture and other company standards. Use your policies to communicate rules and get employees aligned on how your company works.

  • Use standard sentences and paragraphs. Policies are usually expressed in short, standard sentences. Lists should also be used when necessary or appropriate.
  • Remember the three Ws. When writing a policy, always be sure to clearly state what the rule is, when it should be applied, and who it covers. Policies should clearly define their scope of application and whether directives are mandatory or recommended.
  • Use an outline format. Using a numbered or outline format will make a document easier to read and will make content easier to look up when referring back to the document at a later time.
  • Avoid amendments. Avoid the use of information that is quickly outdated and requires regular amendment (e.g. names of people).
  • Reference a set of supplementary documents. Codify your tactics outside of the policy document, but make reference to them within the text. This makes it easier to ensure consistency in the behavior prescribed by your policies.

"One of the issues is the perception that policies are rules and regulations. Instead, your policies should be used to say ‘this is the way we do things around here."

- Mike Hughes CISA CGEIT CRISC – Principal Director, Haines-Watts GRC

Use the three Cs: Be concise

Reading and understanding policies shouldn’t be challenging, and it shouldn’t significantly detract from productive time. Writing long policies makes it more difficult to read and understand policies and increases the work required for the employee to comply with it. Put it this way: how many times have you read the Terms and Conditions of a software you’ve installed before accepting them?

  • Be direct. The quicker you get to the point, the easier it is for the reader to interpret and comply with your policy.
  • Your policy is a rule, not a recipe. Your policy should outline what needs to be accomplished and why – your standards, guidelines, and SOPs address the how.
  • Keep policies short. Nobody wants to read a huge policy book, so keep your policies short.
  • Use additional documentation where needed. In addition to making consistency easier, this shortens the length of your policies, making them easier to read.
  • Policy still too large? Modularize it. If you have an extremely large policy, it’s likely that it’s too widely scoped. Consider breaking your policy into smaller, more digestible documents.

"I always try to strike a good balance between length and prescriptiveness when writing policy. Your policies should be the top-tier umbrella – these should be short and describe the problem and your approach to solving it. Below policies, you write standards, guidelines, and SOPs."

Michael Deskin – Policy and Technical Writer, Canadian Nuclear Safety Commission

Activity 2.1: Customize security policy documents

Estimated Time: 1-2 hours per policy

Steps:

  1. Review your prioritized list of policies from tab 4 in your Security Culture Maturity Assessment and Content Development Tool. Download the associated policy template for your highest ranked policy.
  2. Follow the instructions written in grey text to fill out each heading. Ensure that you are following the three Cs as you write your policy.
  3. When your draft is finished, prepare to request sign-off from your signing authority.
  4. Complete the highest ranked 3-4 draft policies and receive formal sign-off for these policies at the same time. Include all relevant signing authorities in the sign-off process.

Iterate this process until all relevant policies are complete.

Input

  • Security Policy Prioritization Tool

Output

  • Written policy drafts ready for approval

Materials

  • Policy templates

Participants

  • Policy Writer
  • Signing Authority

Info-Tech Best Practices

Before distributing for formal approval, review each policy statement with the three Cs in mind. Policy statements should remain consistent, directional documents that have minimal changes year over year.

2.2 Gather feedback from users to assess the feasibility of the new policies

Once the policies are drafted, select a diverse group of users from various departments to verify the policies are realistic and usable.

  1. Form a test group of users with various backgrounds within the organization, including employees with different technical skill levels and across various departments.
    • Consider a reasonable sample size (~10 testers).
  2. Present new policies to the testers.
    • Allow them to read the documents and attempt to comply with the new policies in their daily routines.
  3. Collect feedback from various sources.
    • Consider leveraging interviews, email surveys, or group discussions.
  4. Make reasonable changes to the first draft of the policies before distributing them company-wide.
    • Policies will only be adhered to if they’re realistic and user friendly.

Every policy will not be relevant for every role in the organization. Ensure that your policies target the appropriate audience.

Questions to consider:

  • What roadblocks do you see in complying with these policies?
  • Do the policies interfere with daily tasks?
  • Are the technical security measures feasible to implement?
  • Are the expectations clear?
  • Is compliance simple enough?
  • Is this policy relevant to your role?

Info-Tech Best Practice

Allow employees to provide input on the development of security policies. This cooperation will lead to easier incorporation of the policies and less resistance. The security team will be less of a police force and more of a partner.

2.3 Submit policies to upper management for approval

Policies ultimately need to be accepted by the business and incorporated into the broader policies of the organization.

Policies don't just live within IT.

Once the policy drafts are completed:

  • Identify who is in charge of approving the policies.
  • Ensure they understand the importance, context, and repercussions of the policies.
    • Leverage the Policy Communication Plan Template in Phase 3 to communicate the overall program.
  • Common groups involved with approval:
    • Upper Management
    • Legal/Compliance Team
    • Human Resources
  • Questions to ask:
  • Do the policies satisfy compliance and regulatory requirements?
    • Do the policies satisfy compliance and regulatory requirements?
    • Do the policies work with the corporate culture?
    • Do the policies address the underlying need?

If the draft is approved:

  • Set the “effective date.”
  • Begin communication, training, and implementation (Phase 3).

If the draft is rejected:

  • Acquire feedback and make revisions.
  • Resubmit for approval.

Remember: Design policies to be high-level enough to stand the test of time; they shouldn’t require frequent updates and approval.

  • Save the technology or process-based details for standard or procedural documents. They can be more readily updated without the scrutiny of management approval for every change.

Policy: “Passwords must meet a minimum length of characters”

Standard: “Passwords must be at least 8 characters long”

Mini case study: “Testing, testing”

Industry: Education

Source: Info-Tech Research Group

School board initiates policy testing groups to gain support and ensure content understanding.

Challenges

  • A large public school board has proactively begun developing a more formal policy suite.
  • They’re dealing with a large operation – over 270,000 students and about 42,000 staff – so having documentation to support strong and secure processes is essential.
  • They were essentially starting from scratch and had a few levels of approval to get through to get support for the policies.

Solution

  • A senior security analyst leveraged existing templates to start determining what policies they needed.
  • To ensure he had comprehensiveness of policies considered, he began approaching testing groups.
    • After developing a draft of the policy, he’d approach the group it most applied to, discuss content, and determine whether current processes already complied with parts of the policies.
  • When he approached stakeholders, not only did he have evidence to support that affected users understood what they needed to adhere to, but he also was able to prove that the organization was already doing well at some compliance requirements.

If you want additional support, have our analysts guide you through this phase as part of an Info

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team

Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office. We take you through every phase of your project and ensure that you have a plan in place to successfully complete your project.

Picture of Rita Zurbrigg

Rita Zurbrigg

Consulting Analyst – Security, Risk & Compliance

Info-Tech Research Group

Picture of Céline Gravelines

Céline Gravelines

Research Manager – Security, Risk & Compliance

Info-Tech Research Group

Picture of Jessica Ireland

Jessica Ireland

Associate Director – Security, Risk & Compliance

Info-Tech Research Group

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Phase 3

Implement the Security Policy Program

This phase will walk you through the following activities:

  • Understand the need for communication with employees and stakeholders.
  • Use the myPolicies platform to automate the management of your security policies.
  • Use the design-build-implement framework to build communication channels.
  • Incorporate policies and processes into the training and awareness programs.
  • Measure the effectiveness of security policies in your organization.
  • Understand the need for regular review and maintenance and creating an action plan.

Outcomes of this phase

  • Communication plans for the security policy program.
  • Plans to incorporate policies into the awareness and training program.
  • Metrics to track the effectiveness of the security policy program.
  • Defined plan to regularly review and update the policy suite.

Phase 3 outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 3: Implement the security policy program

Proposed Time to Completion: 2-4 weeks

Communicate the Security Policy Program

Start with an analyst kick-off call:

  • Design, build, and implement the communication plan effectively to ensure users and stakeholders understand the importance and content associated with the policies.
  • Integrate the policies with the awareness and training program.

With these tools & templates:

  • Policy Communication Plan Template

Formalize Program Maintenance

Review findings with analyst:

  • Discuss a plan to ensure the policies are regularly reviewed and maintained.
  • Define a plan to regularly assess the policies in terms of user awareness, understanding, compliance, and business alignment.

With these tools & templates:

  • Security Culture Maturity Assessment and Content Development Tool

Phase 3 Results & Insights:

  • Communication should focus specifically on why the security policies apply to the employees and how they should be integrated into their daily tasks. Employees will pay better attention and be more responsive if the material is customized to directly address day-to-day routines. Use the strategies outlined in this phase to optimize your communication tactics.
  • Security policies are living documents that require reviews and updates to keep them relevant. If policies are not effective, either the policies have to change or the behavior has to change. Schedule regular review and maintenance to ensure they reflect reasonable, relevant requirements.

3.1 Understand the need for communicating policies with employees

Even the most thorough policies are useless if employees don’t know how to adhere to them.

  • 77% of IT professionals believe their security policies need to be updated or improved.
  • 40% of employees did not know that security policies existed.
  • 41% of employees described their reasoning for policy violation as “there is not enough risk to be concerned.”

Source: Data Leakage Worldwide: The Effectiveness of Security Policies, 2014

Remember...

  • Employees can’t protect against what they don’t know.
  • Employees can’t be held accountable for what they don’t know.
  • Employees must know that there are new security policies and the impact they have.
  • Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.
  • Employees must understand the threats, where to get help, and from whom to ask questions.

Case study: A small digital marketing firm needs process improvement to support its policies through communication

Industry: Marketing

Source: Info-Tech Research Group

See the organization deal with policy enforcement later in Phase 3.

While the organization had its policies developed, there was a lack of formal deployments.

Challenges

  • Because of the organization’s size, there was the misconception that formal policy communication and training was unnecessary.
    • The organization believed common sense and trust would ensure compliance with policies.
    • The main focus was that the policies were there to show clients there was some formal documentation.
      • However, this ends up being a case of talking the talk, but not being able to demonstrate how they walk the walk as an organization.
  • Bottom line: As an organization evolves and grows, customers will likely delve into its standards. Right now the organization implements processes needed for each client on a project-by-project basis, but consistency in the future will be key.

Next Steps:

  • The organization reviewed its policies and determined which would be standards across the board, e.g. data retention.
  • Training was less ad hoc and more collective – everyone in the boardroom or per applicable group. Although it was still relatively informal, everyone got the same information.

3.2 Use myPolicies to automate the management and implementation of your security policies

myPolicies is Info-Tech’s web-based solution to create, distribute, and manage corporate policies, procedures, and forms. myPolicies provides policy managers with the tools they need to mitigate the risk of sanctions and reduce the administrative burden of policy management. It also enables employees to find the policies, procedures, and forms relevant to them and build a culture of compliance.

Some features of myPolicies:

  • Searchable centralized policy repository
  • Automated policy distribution
  • Digital sign-off
  • 150+ best-practice IT and HR policy templates
  • Two-way communication between policy owners and employees
  • One-click policy handbook creation
  • Audit-ready reports and logs
  • Version history and historical policy archive
  • Controlled document access
Image of the logo of myPolicies

myPolicies fully automates many of the remaining steps in this blueprint.

Three screenshots of myPolicies

3.3 Use the design-build-implement framework to build your communication channels

Your end users need to be made aware that your policy exists in order to follow it. Additionally, you need to help them understand the what, why, and how of your policy to obtain their compliance. Employees who do not understand the risk implications of their actions are more likely to create risky situations for the business. Thus, craft a communications plan that incentivizes them to learn and follow your policies.

Use the design, build, implement framework to begin crafting your communications channels:

There is an arrow in the image facing in the right direction. Inside the arrow are three boxes that are beside each other. From left to right they are labelled: Design, Build, and Implement.

Design

  • Create your communication strategy.

Build

  • Craft your communications.

Implement

  • Send out policy communication to the organization.
  • Publish policy documents.

Info-Tech Insight

Policy communication is almost as important as the policy itself. If your policies aren’t communicated well, your employees won’t get the message. Ignorance shouldn’t be an excuse for non-compliance – make it easy for employees to find and comply with policies.

Activity 3.3: Design, build, and implement your communications plan

Estimated Time: 2 hours

This step is automatable in myPolicies.

Instructions

  1. Download Info-Tech’s Policy Communication Plan Template.
  2. Use the instructions written in grey text to complete the communications plan. Use the following best practices to generate the data to populate the plan:
    • Use the checklist defined earlier in this section to develop a communications strategy.
    • Consider the “standardize, access, ownership, complement” best practices when choosing your communications channels.
  3. Publish your policies and implement your communications plan.

There are three screenshots of Info-Tech's Policy Communication Plan Template

Input

  • Finished policies

Output

  • Policy communication plan

Materials

  • Policy Communication Plan Template

Participants

  • Policy Working Group Representative

Start by designing a communications strategy

A good communications strategy should consider the who, what, how, and when of policy deployment.

Policy changes shouldn’t come as a surprise to employees – they should be notified ahead of time that processes may change.

When the policy is actually written, users need to be made aware that policies exist, have access to the policy, and be able to read and sign the policy as easily as possible.

Use the following checklist to design your strategy:

  • Which employees can we not allow to ignore the policy?
  • Which employees need to understand and accept the policy?
  • Which employees only need access to the policy?
  • Who manages these employees?
  • Who can answer questions about the policy?
  • What communication tools do we have access to?
  • How will we ensure employees successfully receive and read the policy?
  • How much impact will our deployment model have on the organization (management time, network, existing systems, bandwidth, etc.)?
  • Where will the policies be stored once deployed?
Source: PolicyMatter Ltd., 2005

Next, build your communication tools

This step is automatable in myPolicies.

Now you need to decide how your policies go from your hands to those of your employees. When your policies get updated, your employees should be made aware immediately so they can begin adapting their behavior to comply. Whatever channels you use, they should follow these four best practices:

  1. Standardize: Your policies should all come in the same electronic format.
    • Policy updates should be documented and stored with your policies.
    • All company policies should be created using the same template.
  2. Access: Policies need to be made readily accessible to the staff they apply to.
    • Your policies should be located in a centralized repository.
    • Your SOPs, standards, guidelines, and best practices should be in a nearby repository if they are referenced in your policies.
  3. Ownership: Each document should have an author, approver, and moderator who oversees the review of that policy.
    • It should be obvious who can be asked questions relevant to the policy.
    • Contact information for the question taker should be easy to find.
  4. Complement: Use a variety of channels to spread awareness for your policies.
    • Using only one channel for communication is not enough to ensure compliance.
    • The messages in each channel should complement each other.
      • Email, office intranet, information sessions, and person-to-person interaction are examples of complementary channels.
Source: HospitalPortal.net, “3 Best Practices for Publishing Policies and Procedures”

Communicate and distribute new and updated policies with users

The following tips focus on communicating with people on a personal level and maintaining engagement.

  1. Specify how to tackle security issues at all stages of breaches; present policies in terms of prevention, detection, and response.
  2. Demonstrate the impact of security policy violations. Employees who are not aware of the damage a simple policy violation can cause tend not to take policies seriously.
  3. Communicate the consequences – up to and including termination – but ensure you maintain a proactive message of “if you practice what the policies preach and help us, this will likely not be a reality for you.”
  4. Provide an additional channel of informal communication. Some employees respond better to informal settings for asking questions and getting assistance out fear of seeming uneducated or unethical. Encourage anonymous, individual, or one-on-one conversations.
  5. Offer clear incentives. Employees often respond better to instant gratification than the potential to prevent a security breach that might never actually happen. It is difficult to link behaviors with security benefits.
  6. Inform them that certain processes are already in place to protect them as users, but they also have accountability and responsibility in this process – technology alone cannot fully protect the organization.

3.4 Incorporate policies and processes into your training and awareness programs

Education: It is important to educate, create awareness, and train users on IT security. However, without policies and processes users will be aware but unable to act on their knowledge and there will be no consequence to their actions.

Policy: Policies are needed to enforce accountability for end users. Policies are the foundation of any training program but without educating users on your policies and the processes to back up your policies, they will be ineffective.

Process: Processes are needed to guide end users to help them deal with a variety of different situations. Processes will change your users’ behavior, but without policies to enforce your processes, and education to help users understand them, your processes won’t be followed.

Successful organizations combine all three to create an effective security training and awareness program.

Creating policies will create accountability for security in your organization and will stand as the foundation of your awareness and training program. Applying processes to your policies will change end-user behavior to guide them on how to comply with your policies. Educate end users on your policies, processes, and the resources available for reacting to threats.

If you do not currently have a security awareness and training program, use Info-Tech’s Humanize the Security Awareness and Training Program to help you begin developing your training program.

Differentiate between awareness and training of security policies, while providing both to the users

Security is a learned behavior. Users must understand why they’re protecting their assets and how to do so.

  • Together, an awareness and training program is the primary medium of communicating crucial information regarding the new security policies across all departments and levels or the organization.
  • Employees must be aware of the expectations, responsibilities, and threats, and be equipped with the knowledge to identify and resolve security issues in order to adequately protect corporate assets.
  • Accountability follows from a fully aware, well-trained, and informed workplace.

Awareness – “Why?”

Provide employees with a fundamental understanding of potential security risks and the importance of controlling those risks as they relate to daily business practices.

Training – “How?”

Provide employees with the knowledge of relevant security threats and the rules to follow in order to reduce the risk/effects of those threats.

Info-Tech Insight

Both awareness and training of security policies should address specific matters relevant to the employees’ jobs. Employees will be more attentive and more willing to incorporate what they learn if they feel that the material was designed specifically to help them.

Case study: Go “phish”!

Industry: Marketing

Source: Info-Tech Research Group

Use a “phishing tournament” to create a positive and engaging environment, encouraging security awareness and compliance.

  • The infrastructure director suggests organizations explore dynamic and even fun ways of implementing better security practices – in alignment with policies – in organizations.
  • One recommendation is a phishing tournament. The director has implemented this successfully in organizations and emphasizes the following tips:
    • Teams can be developed by employees or determined by departments – whatever works best for your organization’s size.
    • Initiate the phishing tests. The aim of the game is to determine how many phishing attempts people can identify and how many they miss.
    • Make the results fun – hand out “phishing licenses” for completing the tournament.
    • However, don’t call out people who may have performed poorly.
      • Key: If there are particular poor performances, address them privately rather than shaming any employees. Whether you realize it or not, this is counterintuitive to training success.
  • Bottom line: Hosting a phishing tournament, or just choosing to make training unique and entertaining, or at least offer some rewards for good behavior, can help integrate security into the overall culture more smoothly. When employees don’t feel hammered over the head with information or consequences, they’re more likely to adopt changes or new processes.

Activity 3.4: Leverage Info-Tech’s Security Culture Maturity Assessment Tool to assess your current training program

Prior to introducing new security policies to employees, your current security training program must be assessed for effectiveness.

The Security Culture Maturity Assessment and Content Development Tool allows you to:
  • Administer end-user knowledge assessment to identify the topics that your end users are unfamiliar with
  • Aggregate end-user knowledge to a department level
  • Identify your current state based on existing policies, objectives, topic areas, etc.
  • Define the urgency of each security topic
  • Prioritize training topics associated with policies
  • Define the target state for your security training program as a means to reiterate your current state

Next, leverage Info-Tech’s Humanize the Security Awareness and Training Program to integrate newly developed policies into training material and to continue developing your training program.

Use Info-Tech’s Security Culture Maturity Assessment and Content Development Tool.

Info-Tech Insight

Take the opportunity when assessing your end users’ current knowledge level to ask about their interests in security. Most people have a vested interest in their own privacy and the security related to that.

Case study: A small digital marketing firm acknowledges importance of measuring success to policy enforcement

Industry: Marketing

Source: Info-Tech Research Group

See the organization develop a review process later in Phase 3.

To round out its policy strategy, the organization explored the idea of success metrics.

Challenges

  • While the organization had a fairly robust policy suite, it had no way to demonstrate to itself, or to its customers, that these policies were effectively doing what they’re supposed to do.
    • There was no way of measuring compliance to the policies.
    • Personnel inherently trust one another; however, this will not be enough in the long run.
  • Instead of developing policies because a particular customer was asking about a specific security measure, the organization needed to look at its overall goals for how it wants to carry out its security procedures and ensure ways of demonstrating that its users are carrying out that mandate.

Next Steps:

  • The organization looked at its policies and upcoming customer projects (and their security requirements), and determined what kind of behavior it wanted out of its employees as a result.
    • Examples:
      • Annual reviews of access control to client data.
      • Better reporting of incidents.

3.5 Measure the effectiveness of security policies within your organization

The effectiveness of security policies can be assessed based on the metrics of user awareness, understanding, compliance, and business alignment.

Awareness Understanding Compliance Business Alignment

Measure the rate at which each policy is known throughout the organization.

“What percentage of the organization participated in awareness and training of each security policy?”

Measure the comprehension and knowledge of the users with respect to each policy.

“After administering an objective test on the policies, what was the average score on each policy section?”

Assess how well each policy is being followed and complied with.

A wide variety of metrics can be used to evaluate the compliance of each policy, such as “How many people fall to phishing attempts? How many are reported?”

Rate the necessity of the policy to the business to gauge:

“How essential is this policy for business objectives or compliance/legal regulations?”

*Ensure that the policy is still relevant to the needs of the business. It might be the case that a policy is so out of touch with the business that compliance, understanding, and awareness are not necessary.

  • Compliance cannot exist without understanding.
  • Understanding cannot exist without awareness.
  • Identify the pain points in your deployment process.
  • Understand where you need to apply pressure and improve processes.

Set goals and determine success metrics for security policy enforcement

Use a whiteboard to brainstorm reasonable expectations and goals of implementing the security policies within the organization. What results do you hope to see?

Goals will help you:

  • Communicate performance.
  • Promote performance improvement.
  • Measure the effectiveness of technical controls.
  • Diagnose pain points.
  • Make decisions.
  • Increase accountability.

Determine success metrics:

What proportion of employees do we want to participate in the awareness and training program?

How can we measure the understanding and comprehension of the new security policies?

What is an acceptable score on understanding and comprehension?

What is an acceptable rate of compliance with each policy?

When should all the policies be fully implemented by?

Case study: As the organization grows, a regular review procedure can keep track of the year’s changes

Industry: Marketing

Source: Info-Tech Research Group

Digital marketing firm created annual review process to ensure policies were up to customer standards.

Challenges

  • The organization was slowly growing and had started formalizing processes around policies – from developing more procedures to support its policies to sitting down as a group and discussing new policies and what they mean for overall processes.
  • To finalize its strategy, the infrastructure director selected a small team to review the policies on an annual basis to ensure they still met the needs of their overall security strategy (now that they were mapping them to security standards like ISO 27001) and that they were up to date with what their customers were asking for in terms of security policies and procedures.

3.6 Understand the need for regular review and update

Organizations that don’t regularly review and update security policies risk becoming sitting ducks for security breaches.

  • An out-of-date, irrelevant security policy is about as useful as no policy.
  • Regularly ensure that the policies are being adhered to and that they are still appropriate to the business. Adjustments must be made to policies that are not accurately followed or are no longer applicable.
  • New technologies and new threats are introduced daily. It is crucial to stay up to date with the latest security issues (and related solutions) in order to protect the corporate assets.
  • Out-of-date policies can leave gaping vulnerabilities that can easily be exploited.
  • Watch trends, errors, traffic flow, and early warning signs to identify new threats and manage your policies appropriately.

If your organization falls prey to an attack, you may be held accountable. If you’re in charge of information security, you should insist on regular review and updates of the security policies

Identify when to update:

  • New technology (hardware or software).
  • New/updated regulatory mandates.
  • Corporate growth.
  • Mergers/reorganization (new data and business practices).
  • Even if there are no other significant changes to business/technology, policies should still be reviewed periodically, at least annually.

Identify why to review:

  • Stay abreast of latest security issues.
  • Understand the actual security stature of the organization.
  • Optimize your security investments by prioritizing the most important controls.
  • Demonstrate to end users that the security of their data is a top priority.
  • Refocus employees on relevant security issues, increasing awareness, understanding, and compliance.

Develop an action plan to update the existing policy suite and implementation processes

The revision process can mimic the initial development process, but will be shorter and less intense of a process.

  • Stakeholder buy-in might not be necessary again.
  • Management is familiar with the process.
  • Employees know what to expect in terms of compliance.
  • General topics are already mapped to appropriate policies.
  • Optimizing and improving documents, not starting from scratch.

Investigate problems and difficulties with previous policies.

  • How effective was the awareness and training program?
  • Which policies were difficult to understand?
  • Which policies need more effort to enforce?
  • Where were there frequent violations? Why?
  • What were the security audit results?
  • Is the policy still necessary to the business?

Plan to update

  • Assign accountability for who will be in charge of ensuring maintenance of the policies.
  • Develop a schedule with well-defined tasks, responsibilities, and deadlines.
  • Leverage feedback from all users. Give each department an opportunity to voice their concerns and make an impact on the policies. When the leader of a department is involved, they’re more likely to support the policies and encourage their teams to follow them.

Info-Tech Insight

If there is a discrepancy between what the policy mandates and compliance within the organization, either the policy must change or the behavior of the employees must change.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team

Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office. We take you through every phase of your project and ensure that you have a plan in place to successfully complete your project.

Picture of Rita Zurbrigg

Rita Zurbrigg

Consulting Analyst – Security, Risk & Compliance

Info-Tech Research Group

Picture of Céline Gravelines

Céline Gravelines

Research Manager – Security, Risk & Compliance

Info-Tech Research Group

Picture of Jessica Ireland

Jessica Ireland

Associate Director – Security, Risk & Compliance

Info-Tech Research Group

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Insight breakdown

Security policies and procedures must be integrated into job descriptions and employee routines

  • In order for security to become second nature in an organization, it must be seamlessly looped into current tasks, such as employee onboarding. When proper access control approval processes are initiated, and the employee receives training on changing their default password, these are little steps towards creating a more ingrained security culture.
  • Conversely, everyone needs to be aware of what responsibilities they have towards security. Using the above example, HR needs to know the proper procedure for getting sign-off for access control/credentials, and managers need to be aware of what kind of training they’re required to give their employees on issues like appropriate internet use.

Security policies are living documents that require reviews and updates to maintain relevance

  • Security policies might seem “one and done,” but to keep them relevant they must be reviewed regularly. High-level policies usually require an annual review unless there have been significant changes to an organization’s overall assets; procedures will require more regular reviews – especially as roles change.
  • As new technology is brought into the organization, policies cannot stay stagnant. Conducting a regular gap analysis to make sure your suite is not missing a critical piece ensures you have everything covered.

Communication and enforcement of policies are often greater challenges

  • Creating the policies is actually the easy part – templates help. Actually integrating them into your organization’s culture is a different story – employees struggle with change and if they feel the policy will infringe on their ability to get work done, policy implementation will be less successful.
  • Finding innovative ways to integrate users in the creation of policies (test groups) and then train them (phishing tournaments, reward programs), will go a long way in gaining their support.
  • Success metrics are not a lost cause. Think about the user behavior you want to change and go from there. For example, increasing the amount of incidents reported.

Summary of accomplishment

Knowledge Gained

  • Standards surrounding comprehensive policy suites (e.g. NIST SP 800-171).
  • The difference between a policy and procedure and why it’s crucial to create both regarding security measures.
  • Applicable success metrics for policies and how they relate to changes in employee behavior.
  • Effective best practices on securing business support for security policies.

Processes Optimized

  • How to conduct an assessment of your current policies against best practices, or how to start from scratch and know what policies to begin with to build a suite.
  • How to prioritize policies in terms of implementation.
  • Policy content development through use of templates.
  • Policy communication and enforcement best practices.

Deliverables Completed

  • Security Policy Charter
  • Security Policy Prioritization Tool
  • Security Policy Templates:
    • Access Control Policy
    • Awareness and Training Policy
    • Audit and Accountability Policy
    • Configuration Management Policy
    • Identification and Authentication Policy
    • Incident Response Policy
    • Maintenance Policy
    • Media Protection Policy
    • Personnel Security Policy
    • Physical Security Policy
    • Risk Assessment Policy
    • Security Assessment Policy
    • System and Communications Protection Policy
    • System and Information Integrity Policy
  • Policy Communication Plan Template
  • Security Culture Maturity Assessment and Content Development Tool

Project step summary

Client Project: Develop and deploy a security policy

  1. Make the case and identify security policy requirements.
  2. Analyze the gaps in your policies and prioritize them.
  3. Develop the policy suite.
  4. Communicate the policies.
  5. Enforce the policies.
  6. Review and update the policies.

Info-Tech Insight

This project has the ability to fit the following formats:

  • Onsite workshop by Info-Tech Research Group consulting analysts.
  • Do-it-yourself with your team.
  • Remote delivery (Info-Tech Guided Implementation).

Track metrics throughout the project to keep stakeholders informed

As the project nears completion:

  1. The number of policies written should increase.
  2. Percentage of employees trained on policies should increase.
  3. Average time to implement a policy should decrease.
Metric Description Metric Goal Checkpoint 1 Checkpoint 2 Checkpoint 3 Checkpoint 4
Number of policies developed 15
Number of policies tested and approved 15
Number of issues raised regarding new policies 10
Percentage of employees trained on new policies 100%
Percentage of employees that acknowledged new policies 100%
Other metric
Other metric
Other metric
Other metric
Other metric

Research contributors and experts

  • Michael Santarcangelo, Founder, Security Catalyst
  • Sandy Bacik, Global Risk Assessment Manager, VF Corporation
  • Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board
  • Candy Alexander, GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc.
  • Defense Industry Technology Executive, Information Systems and Technology Branch CIO/CKO, United States Air Force
  • Debbie Christofferson, Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership
  • Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates
  • Kevin Spease, Managing Partner / Security Engineering Consultant, ISSE Services, LLC
  • Rob Marano, Co-founder, Hackerati
  • Mark Leonard, ITS Security Manager, Wesfarmers Insurance
  • Chuck Hathaway, Director of Infrastructure, Catalyst
  • Rebecca Herold, CEO, The Privacy Professor
  • Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.

Related Info-Tech research

Build an Information Security Strategy

Tailor best practices to effectively manage information security.

Humanize the Security Awareness and Training Program

If it’s not human-centric, you’re not training your humans.

Bibliography

Bacik, Sandy. Building an Effective Information Security Policy Architecture. Boca Raton, FL: CRC Press, 2008.

Canavan, Sorcha. “Information Security Policy - A Development Guide for Large and Small Companies.” SANS Institute Reading Room, 2006. Web.

Cisco. “Data Leakage Worldwide: The Effectiveness of Security Policies.” Cisco, 12 March 2014. Web.

Heinl, Chris. “3 Best Practices for Publishing Policies & Procedures.” HospitalPortal.net, 29 Jan. 2013. Web.

ISACA. COBIT 5 for Information Security. ISACA, 2012.

ISO/IEC 27001:2013. Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC, 2013.

Kaspersky. “Global Corporate IT Security Risks.” Kaspersky Lab, May 2013. Web.

Kaspersky. “IT Security Risks Survey.” Kaspersky Lab, 2014. Web.

McConnell, Kerry D. “How to Develop Good Security Policies and Tips of Assessment and Enforcement.” SANS Security Essentials, GSEC Practical Assignment, Version 1.3: 2002. Web.

Penman, Carrie and Randy Stephens. “2016 Ethics & Compliance Policy Management Benchmark Report.” NAVEX Global, 2016. Web.

PolicyMatter Ltd. “The Five Critical Stages: Best Practices for Delivering Corporate Policy Management.” PolicyMatter Ltd., 2005. Web.

Ponemon Institute. 2013 Cost of Data Breach Study: Global Analysis. Ponenmon Institute LLC, 2013.

Ross, Ron et al. “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” NIST Special Publication 800-171, National Institute of Standards and Technology, June 2015. Web.

Spitzner, Lance. “Human Metrics: Measuring Behavior.” SANS Institute, 21 October 2014. Web.

Villiers, Marilise de, Mathieu Cousin, and Inderpal Dhami. From Promoting Awareness to Embedding Behaviours. Information Security Forum Limited, 2014.

Weise, Joel. Developing a Security Policy. Sun Microsystems Inc., December 2001. Web.

Wunder, John, Adam Halbardier, and David Waltermire. Specifications for Asset Identification 1.1. National Institute of Standards and Technology, June 2011. Web.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

9.6/10
Overall Impact

$12,882
Average $ Saved

21
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 3-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Formalize the security policy suite
  • Call #1 - Understand policy needs and begin policy charter.
  • Call #2 - Review charter and prioritize policy development.
  • Call #3 - Formalize stakeholder support.

Guided Implementation #2 - Develop the policy suite
  • Call #1 - Customize the policy templates.
  • Call #2 - Gather feedback on the policies and get approval.

Guided Implementation #3 - Implement the security policy program
  • Call #1 - Communicate the security policy program.
  • Call #2 - Formalize program maintenance.

Contributors

  • Michael Santarcangelo, Founder, Security Catalyst
  • Sandy Bacik, Global Risk Assessment Manager, VF Corporation
  • Paul Daley, Senior Analyst, Change Management and Security, Toronto District School Board
  • Candy Alexander, GRC Security Consultant/Virtual CISO, Independent Consultant – Partnered with Towerwall, Inc.
  • Defense Industry Technology Executive, Information Systems and Technology Branch CIO/CKO, United States Air Force
  • Debbie Christofferson, Sr. Security Manager Specializing in Enterprise Risk Management Strategy and Leadership
  • Andrea Hoy, President/Founder & Virtual CSSO, A. Hoy & Associates
  • Kevin Spease, Managing Partner / Security Engineering Consultant, ISSE Services, LLC
  • Rob Marano, Co-founder, Hackerati
  • Mark Leonard, ITS Security Manager, Wesfarmers Insurance
  • Chuck Hathaway, Director of Infrastructure, Catalyst
  • Rebecca Herold, CEO, The Privacy Professor
  • Paul Stillwell, President & Senior Security Consultant, Intrepita Inc.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019