Ch 3 You will be Judged by Your Policy - CISO Desk Reference Guide

This is the third in our series sharing thought pieces from the CISO Desk Reference Guide: A Practical Guide for CISOs, volume 1. In the following excerpt from Gary Hayslip’s essay for Chapter 3 concerning security policy, continuing our opening section on the basics. Gary points out how foundational security policy is. Please enjoy.

You Will Be Judged by Your Policy

An excerpt of Gary Hayslip’s essay for

Chapter 3 – Security Policy

“I truly believe that cybersecurity becomes a strategic asset when an organization follows best practices, the CISO mentors their security teams, and you install, tune, and leverage your tools for maximum effectiveness.”

As a CISO, one of the first policies you will need to develop and evangelize within the organization, from executive management to the hourly line worker, is the company’s information security policy. This document will become the essential reference for your security program and the business for any issues that relate to cybersecurity. Your stakeholders will use it as a guide to assist them when they order technology services, purchase new IT assets, or implement strategic technology projects. They will also use it as a template, a ruler to measure whether they are within its acceptable parameters concerning cybersecurity and risk exposure to the organization. As you can imagine, this document may significantly impact the organization and how it conducts business. It should, therefore, reflect the organization’s objectives for security and the agreed-upon strategy for securing information. It is also why, for it to be effective, executive management should formally adopt the policy. Let’s discuss what components make up this important document. The first question we will consider is, “In building the organization’s information security policy, what is the process, and what components should the CISO consider essential?”

As CISO, the information security policy you create is a foundational part of your information security program. Hence, you must develop it with an understanding of its strategic importance to the organization. The first step you will need to take in preparing the information security policy is to meet with executive management. This policy will impact the whole organization, and you will require executive management to sponsor it, providing it the legitimacy of an executive mandate. To get this type of executive support, you must meet with executive leadership and get their input. In these meetings, which I usually do one-on-one, you will want to find out how they view security; what data, processes, and applications they see as critical to the business; and what types of data, work processes, and projects should be classified as sensitive and afforded enhanced protective measures.

I recommend that when you conduct these interviews with executive management, you remember that you are there as a listener. Listen and do not interrupt. Learn what’s important to them, note their responses to your prepared questions, and then follow up with a document summarizing their answers and what you have learned. Listening will convey that you care about their input and demonstrate that you have correctly captured their insight.

With this information collected, you can now start to review it for commonalities. What I have found in the past is that specific applications and data types will stand out as critical to multiple leadership team members and therefore highlighted as business assets that will require a higher level of governance. In Chapter 2, I outlined the importance of using this collected information to create a data governance program. This program will enable you to classify the identified data types by their criticality to the organization’s business operations. This program should also designate which identified data types have compliance requirements that will dictate specific security and handling procedures concerning the business processes that created them. With this data governance plan, you should have greater insight into executive management’s opinions about security.

A more concrete understanding of essential data assets would be best. Then, it’s time to create a comprehensive organizational security strategy. To do this, we will first select a security framework that is consistent with the criticality of the identified data types. This framework will be the foundational platform on which you will build your information security program and serve as a guide for creating the company’s information security policy. Using an industry-standard security framework (NIST, ISO, ISACA) will help ensure that your policy has the legitimacy that executive management can endorse. It will provide an approach that external auditors and business partners can accept.

I recommend a couple of best practices for creating an information security policy. First, the policy you create must reflect actual business practices. If it doesn’t, the business will never entirely accept the policy. I once worked with a CISO who created his policy based on best practices he hoped his organization would someday follow. That policy was never supported, resulting in an organization without effective cybersecurity guidance.

The second-best practice is to keep it short. Agree to a small number of principles that all the business managers in the organization can accept and use them as guides to build your first policy. Once you create this policy, provide it to the organization’s executive leadership team for their approval and request that it be published through them to the company as an executive policy to be observed by all personnel, partners, and third-party vendors.

Now you may ask yourself, “If this is an information security policy for the organization, why don’t we include everything? Why keep it small?” As mentioned above, you want something manageable that your business stakeholders can accept. When asked this question, I reply, “The information security policy is like the handle of an umbrella. The information security standards and guidelines document is the umbrella top that protects the organization from the digital elements. The standards and guidelines document how company employees would follow the security policy and its mandates.” You don’t have to go in depth. You can keep the policy and its components generalized. As an employee reads the information security policy, they will find references to specific sections of the standards and guidelines documents.

These standards and guidelines will act as a reference point, providing information for implementing a specific policy component. So, to sum this up, the CISO should speak with executive management and senior business stakeholders. Use the data you collect from these discussions to create an organizational information security policy. Stakeholders throughout the organization will use the detailed steps in the information security standards and guidelines to implement and follow this policy.

The CISO will also use the information collected from executive leadership to select an appropriate security framework. This framework will be the foundation for managing the risk exposure for the critical data assets identified by executive leadership. This framework, in turn, will drive the creation of an information security program. As this program matures, it will be the primary vehicle for the CISO to govern the organization’s information security policy.

As you can see, we are looking at a lifecycle. The CISO will periodically meet with executive management, and over time, due to business or regulatory changes, both policy and security programs will require updates. This process never stops. It is continuous, and you need to own it as one of the core business processes for your cybersecurity program.

Here are some final notes that I believe we should talk about before you create your information security policy. First, don’t forget to keep this document high-level because you have other methods to provide in-depth information. Second, if you are with a large organization, you will need to write your policy with the understanding that each business channel/department will probably have a departmental policy on how they will interpret the corporate policy so that it meets their business requirements. Third, if you add sub-policies to the main document, ensure they don’t repeat a topic from the parent document.