A good information security policy is normally the starting point when promoting security awareness. However, organizations often implement policies in very different ways. Surprisingly, despite security polices being common practice for decades, we still have trouble agreeing what a good security policy looks like. Too long, too short, too dictatorial, too polite. It’s a subject of much debate that won’t be resolved any time soon.
Information security policies are a common way of managing information security behaviors. They set out the organization’s security objectives as well as the roles and responsibilities for achieving those objectives. They also provide the ability for organizations to discipline or dismiss staff that don’t follow the rules. Some policies are high level documents of only a few pages and others are weighty tomes covering all possible angles. In considering what the ‘right’ security policy is for an organization there are a number of factors that need to be considered.
Who is the intended audience? Is everyone in the organization expected to read the security policy, or, is the security policy just a foundation document which is supported by additional training materials? Identifying the audience for each document is important so that the language, structure and tone of the document reflects the needs (and abilities) of the intended audience. To help with audience alignment you may want to use tools such focus groups or personas.
How long should a security policy be? Some organizations try to list every behavior which is prohibited. Organizations going down the path of detailed prohibition have two problems. Firstly, the content becomes long and tedious. Secondly, they run the risk of omitting specific behaviors which people could then argue were allowed because they were not specifically prohibited. ‘Do not steal this chair’ was a saying that a wise old policy manager used to say when debating security policy with me. His point was that nowhere in policy will you normally find a specific instruction not to steal your chair. Despite this universal omission, most organizations are not rife with the theft of seating furniture. His point I think was that some things are self evident. People know that stealing is wrong and would never try to defend themselves in an employment tribunal by saying that a statement on chair theft wasn’t in the policy and therefore they didn’t know it was wrong. If you’re telling your audience something they already reliably know or communicating organization requirements which are already self evident then you could be wasting their time. Finding the right balance between length and brevity in large organizations is a real challenge but don’t automatically assume that your security policy needs to be war and peace.
Should policies read like a contract? While policies normally form part of an employment contract with the audience, making them read like a contract is not always a good idea. Some security policies include complex legal language that even a lawyer would struggle to understand. If it’s only IT Security and the legal department who can decipher the policy then that suggests it’s not a very good one. Long sentences, large numbers of conditional statements and obtuse words all reduce understanding and therefore the expected influence on behavior. It’s vitally important that security policies are understandable by the intended audience. Some organizations use the Fog index to measure document complexity. A high Fog index is produced by long sentences with large numbers of words which are three syllables or more. A Fog index of around 12 is suitable for a high school senior. For text to be universally understood it needs to be around 8 or less. It’s often assumed that security polices need to look complicated and use pseudo legal language. We need to stop this as it’s not helping.
Are policies mandatory? It’s generally accepted that any use of the word ‘should’ implies that compliance is optional. This means that statements using the word should are just guidelines and you’re giving the audience the discretion to decide when they can be set aside. Check with your HR or Legal to find out what is possible in your jurisdiction as countries do vary.
Ultimately, every security policy needs to be tailored to fit the organization, its culture and its goals. It’s very easy as technical experts to succumb to trying to cover all possible risks and behaviors to the extent that our security policy becomes unreadable by the intended audience. Do you have any security policy horror stories to share? Please get in touch.