Information Security Policies and Procedures Part 3

Wednesday, May 04, 2011

Alex Hamerstone


This is part of an ongoing series on documentation development. Please be sure to read the previous posts in this series: Part 1 Part 2

While we are still at the beginning stages of preparing to develop policies, procedures, and related documentation, it is important to mention a few things not to do:

Do Not Repurpose/Borrow the Work of Others

Search engines are great, and place a vast body of human knowledge at your fingertips. This vast knowledge often includes the intellectual property of others. Finding policies on the internet and using control H to place your organization’s name in place of another is not only wrong, it is also ineffective.

Even if you have policies examples available that are not covered by copyright, they still will not cover everything you need in most situations. Every organization is unique, and as such has unique policy and procedure requirements.

By all means, scour the web, libraries, desk drawers, etc. for policies to get ideas for format, structure, and things to include. But be sure to create your own intellectual property.

Do Not Ignore the Input of Others

No doubt you are an expert in your chosen field. However, developing policies and procedures is best done with the input of others. Be sure to speak with the Human Resources department about Acceptable Use, System Access, and other cross functional policies.

Talk to your receptionist or security guards to get another perspective for Physical Security and Visitor policies. And certainly, wherever possible seek direction from whoever will be tasked with approving the policies. I am sure you get the idea; I could go on ad infinitum listing people who you should involve in policy creation.

Do Not Over-complicate Things

I have never been accused of using too few words. However, when writing policies, be sure to be clear and concise. Don’t use two sentences where one will do. (Save that for blogs.) Of course it follows that you need to be thorough enough to make certain that your audience understands what the policy is saying.

Finding the perfect balance is never easy, but if you are cognizant of this issue, you will likely be okay. Just remember, there is a reason Hemingway didn’t write policies.

Do not Forget the Audience

There are policies and procedures that will be distributed company-wide, and others that will stay within IT. While IT procedures may be filled with the intricacies of required network logging, general policies will need to be geared toward a more general audience.

Do Not Get Stuck in the Weeds

Don’t let small issues derail your documentation project. Keep writing. There will always be debates about minutiae; note these for later resolution and move on. These decisions will need to be made prior to final approval and distribution, but they shouldn’t stop your progress.

Do not Confuse Policies with Procedures

As we discussed in a previous installment, policies and procedures have significant differences. One practical reason to separate policies and procedures involves the approval process.

While policies generally go through an approval workflow that includes executive management, many times procedures (especially highly technical IT procedures) can be updated less formally.

If procedural steps are embedded in policies, you could find yourself seeking executive approval each time you change software vendors or process minutiae. We will discuss this more in later installments.

In our next installment of this series, we will cover basic document formatting and structure. (Don’t worry; it is not as dry as it sounds.)

Cross-posted from Secure State

Possibly Related Articles:
Information Security
Enterprise Security Management Documentation Information Technology Information Security Policies and Procedures
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.