Security policies are a great opportunity to influence behaviour. Unfortunately, for a variety of reasons they’re not usually as effective as they could be. Despite our efforts to sell the value of information security, actually reading a policy is less popular than a fart on a plane. There’s a reason that a security policy has never made the New York Times bestseller list, and it’s not because security policies have yet to be discovered by Oprah. We need to do better. But what would ‘better’ look like? Here’s a list of seven aspects to consider.
Brevity – the shorter the policy, the more people will tolerate actually reading it. You need to ask yourself, if people only read the first five pages, what will they get out of it? If after reading the first five pages people have only learned about the authors and the administrivia of version control then you’re not off to a good start. Policy perfection isn’t when there’s nothing left to add. It’s when there’s nothing left to take away.
Readability – many security policies seem to be written solely for security practitioners or legal professionals. There’s a name for when you write something for yourself, it’s called a diary, not a policy. Long sentences, technical terms and complex sentence structures all detract from audience understanding. Information security needn’t be rocket science, but that’s what we make it if we’re not careful. Complex language might be appropriate if your security policy is for legal partners to read, it’s not so great if your target audience are average office workers with 2.5 kids, 0.8 university educations and 0.4 attention spans. The Fog Index is a great tool to objectively work out the readability of your policy. You might be surprised just how complicated some of our documents are. For example, the opening paragraph of the Acceptable Use Policy template available from the SANS website is rated by the Fog Index as 24.5. A Fog Index of around 12 is suitable for a high school senior. More than 20 means the text is really only going to be properly understood by university graduates. This is problem if you need your PCI auditors to be able to understand it.
Business Alignment – in many organisations there’s a gap between the rules of the security policy and the actual risk appetite of the organisation. Make sure that the policy you write is what your organisation wants and will support, not just what you think is right, or what your last organisation thought was right. If your policy doesn’t align to the reality of your business operations then it’s the credibility of the security team at stake.
Accountability – a good policy makes a clear link between people and accountabilities. For every sentence in the policy, if not each paragraph, you need to ask yourself if you’re clear what responsibility you’re assigning to whom. If you’re not sure, consider cutting the text and making it shorter.
Objective Focused – a good security policy is descriptive, not prescriptive. Don’t try to give people an exhaustive list of do’s and don’ts. Instead, help them understand the big picture and what you’re trying to achieve. If you try to give people an exhaustive list of prohibited content then you’re bound to miss something out. Laugh now, but I bet you haven’t expressly prohibited the use of your email system to send pictures of spiders to arachnophobics. Instead, use an umbrella objective such as not using messaging systems in a way that could cause distress to others. That way you won’t be caught out by the Black Swan of harmful behaviour.
Traceability – when quoting from your security policy it helps to be able to be clear which requirement you’re referring to. Numbering each requirement is vital so that you can quote from the policy. You’ve breached ‘somewhere in the back’ near where most people fall asleep doesn’t cut it.
Currency –Don’t imagine for a second that ‘this’ edition will be the perfect one and spend too long trying to make it perfect. Instead, go for an evolutionary approach. Get it published and then immediately start planning for the next version based on employee feedback, new technology and changes in your organisation’s risk appetite.
Ultimately, writing a good policy is an art and the end result will always depend on the culture of the organisation and it’s needs. If you’ve got any ideas on what makes a good policy do get in touch.