While attending the NCMS Carolinas Chapter meeting at Cisco Systems recently, I saw a presentation by Mark Whitteker, MSIA, CISSP, ISP. Mark comes out of the IT security world, so most of his presentation focused on IT security. He also presented a segment on Building a Comprehensive Security Architecture Framework that might benefit all of us. What Mark shared with the group is a pragmatic approach to creating and updating policies and procedures that could be used by any organization. When implemented, this process creates a customizable framework that will allow organizations the stability to prosper.
In general, policies establish the strategic objectives and priorities of an organization. They set the standards and expectation for the population. From a security perspective, they are a powerful tool because they identify roles and responsibilities and provide for accountability. Policies establish responsibilities and expectations for every population within an organization. This should include all employees, contractors, visitors, and any other personnel on site. As is demonstrated in Mark’s flow chart below, procedures are developed much later in the process. Procedures are the detailed implementation instructions for individuals to carry out the policies. They are often presented as forms or as lists of steps to be taken.
Why is this so important from a security perspective? All security events are caused by people who intentionally do something to obtain, injure, or destroy an asset, or unintentionally do something due to lack of knowledge or understanding. Therefore, unless an organization can protect all of their assets (human, capital, and reputation) from the nefarious or inadvertent actions of others – at all times – they need a security program that deters, detects, and defends business assets every day, all the time. Most businesses are not Fort Knox (which, by the way, is not immune from security events), and security-related policies and procedures are a critical tool that businesses can use to defend against the human threat.
What I believe Mark’s flow chart does is provide a systematic approach to the development of policies based on industry standards in a manner that can be applied company-wide.
In any organization that is evaluating their policies or putting policies in place, the first place to start is the industry standards for the area to be covered by the policy. Areas such as lighting, egress, the protections of trade secrets, IT security, and the protection of classified and/or personal information are just some of the areas where security industry standards are available. In addition to the industry standards, there are security best practices that play an important role in any company’s security program. These may be industry specific or provide general guidance. In the absence of standards, companies will and are judged based on recognized best practices. Premises liability is a prime example of where this would apply. An organization’s ability to defend itself against litigation is incumbent in its ability to establish that a security program was in place to respond to threats that they were aware of or should have been aware of. Similarly if an organization has to defend itself from a compliance violation or establish that they are due damages in a loss of trade secrets, it is incumbent on the organization to be able to demonstrate the protective measures that were in place to protect that information. In all cases security-related policies will be a key component of the security program.
There are many sources for security related standards and best practices. Organizations such as ASIS International, the International Association for Healthcare Security & Safety (IAHSS), or National Classification Management Society (NCMS), are good starting points for this kind of information.
Policies are the guidance necessary to protect your organization’s assets. When establishing those guidelines, look to industry standards and best practices for a general framework. Policies should be high-level and solution agnostic in order to minimize the need to revisit them as technology changes. Those details should be left to the policy standards.
Policy Standards are the specific technical implementation requirements established within the policies. Within the policies these should be hyperlinks or references to policy standard documents, not detailed within the policy itself. This enables an organization to modify or update the standards as technology advances without requiring policy changes with resulting review and approval by senior management.
Policy Implementation is about communication (who, what, when, where). Considerations include:
- Who does this policy apply to?
- What do you want them to do?
- When does it apply?
- When and how will the population be trained?
- When and where will the population get additional awareness reinforcement?
Procedures are the guidance that individuals will need to comply with the policy. It provides detailed, step-by-step instructions users must follow in order to implement controls according to the latest standards.
Services provide the population with information about the support services that are available to them and are there to support their efforts. In this case we are referring to security-related services, but it could also be applied in other areas of the business. If this is considered on the front end, it will provide better communication and hopefully provide the professionals responsible for implementing the policy and procedures the resources they need to provide the population with the tools and support they need to comply.
Measuring Success brings the process full circle and puts in place a system of continuous quality control and improvement. Things change; populations change; and industry standards and best practices change. There should be a process to measure success and allow the organization to adapt.
In the world of security, the best that any organization can hope for is that they have the internal and external controls in place to divert persons with nefarious intent. It’s kind of like termites – if we can’t eliminate them, let’s at least make it so uncomfortable that they move somewhere else because there are lots of unprotected opportunities.Continue reading