A guideline for creating Policy docs Or Overview of a Policy Management Program January 25, 2016
Jack of all Trades
About me About Me‌ Marcia Mangold, CISSP (333926), ITILF2 IS Manger of Governance, BCBSM Former Employers: Education:
IBM (various companies), General Electric, GM, Ford / Visteon MSBIT from Walsh College of Accountancy & Business Admin (Novi, MI), with specialization in Information Assurance BS in Software Production and Management from University of Detroit Mercy (Detroit, MI) AS in Computer Information Systems from Henry Ford Community College Classes at WCCCD and Oakland Community College ISC2 chapter, ISSA chapter member, and a proud member of the Infragard
Objectives Objectives: Overview of a IS Policy management program At the end of this presentation, you should know:
• The difference between policy documents • Why you should have a formal policy management program
What type of Policy Statement is it? Choices: Guideline. Policy, Standard, Process / Procedure, neither, combination “To avoid overspending, we will travel in teams of two or more, with a list of items to purchase”
“We must travel in teams of 2 or more to the grocery store. We will only purchase the list items for the lowest price.”
1) Go to the parking lot of the grocery store. 2) Wait until at least one other person on the shopping team arrives. 3) Review shopping list…
“We should go to the grocery store twice a week. When I go to the store, I never buy store brands and always bring coupons.
What type of Policy Statement is it? Choices: Guideline. Policy, Standard, Process / Procedure, neither, combination “To avoid overspending, we will travel in teams of two or more, with a list of items to purchase”
Policy “We must travel in teams of 2 or more to the grocery store. We will only purchase the list items for the lowest price.”
Standard 1) Go to the parking lot of the grocery store. 2) Wait until at least one other person on the shopping team arrives. 3) Review shopping list…
Procedure “We should go to the grocery store twice a week. Guideline
When I go to the store, I never buy store brands and always bring coupons. Neither
Not all policy documents are policies Policy – What is important or must be done Uses verbs such as “shall, must, will” “To avoid overspending, we will travel in teams of two or more, with a list of items to purchase”
Standard – How it will be achieved or measured Uses verbs such as “shall, must, will” “We must travel in teams of 2 or more to the grocery store. We will only purchase the list items for the lowest price.”
Process / Procedure – How to implement / perform an action Can use any relevant statements, including “always and never” 1) Go to the parking lot of the grocery store. 2) Wait until at least one other person on the shopping team arrives. 3) Review shopping list…
Guideline – preferred actions that support a desired outcome (not enforceable) Can Uses verbs such as “should, may, can” and phrases, such as should always or never “We should go to the grocery store twice a week. Remember that you should always eat before going shopping.
Why are you writing a policy? You have been asked to write a policy, but before you do, ask the following questions:
• Why are you writing this policy? Do you know the objective,
background, culture, stakeholders? If not, then you need more information to start.
• Is there an existing policy management process? If not, then you are starting in the middle…
• Technical Traditional types of Policy Documents Policy documents can be written for a combination of end users
• How, when, why and where you need to do something
• User • What to do or not to do
• Business • What we want somebody to do
• Consumer (outside of the Business) • What you need to know before you do anything
Who is your audience?
Example: Policy Management Program So you have been asked to write a policy What is your process? Adhoc? Then you need to develop a policy management program. (great for audits, lawsuits, questions, buy-in, enforcement, etc.)
• Helps to create, maintain a policy lifecycle
• Helps to determine what documents exist
• Create a charter • Get buy in from management • Host policy creation planning sessions with SMEs
• Create policy life cycle • • • • • • •
Determine policy ownership Develop approval process
Develop policy creation process Develop exception process Develop naming criteria and policy structures Create policy templates Create retirement and retention process
• The policy Management program starts Policy Management Program Create a charter
Get buy in from management
like any other project with a project charter which defines: • The purpose • Scope • Sponsors / champions • Measurements for success
• Get buy-in from management to insure that your policy documents will promoted and enforced
• Your Policies are only valuable if the business has a stake in it
Policy Management Program
• Host policy creation planning sessions with SMEs
• Create policy life cycle
• Invite representatives from the areas
that will be affected by the policies that you are creating to assist with creating the policy life cycle • They will know how long the process takes and what is involved
• They will (hopefully) become promoters of the process and the policy documents that are created
Policy Management Program
Determine policy ownership
• Does IS own the policies or does the business?
• What is the role of the owner? • Exception approval • Updates, audits, retirement
• Can there be more than one owner? • How is ownership transferred? One of the hardest task in the Policy Management program
Policy Management Program
Develop an approval process
• Determine who has to approve the policy document
• Approvals can be based on • The type of document (standard, process, etc.)
• How the need for the policy document originated (mandate, law, area, etc.)
Trigger (Assessment, Review, Mandates, Laws, Rules, etc.)
Policy Management Program
Audit / Remediation
Develop a policy creation process • •
Determine how a policy will be created / reviewed / audited, etc. Determine which area of the business is responsible for which each process.
Requirements gathering
Example of Policy Creation Process Training / Implementation
Create / Review & update
Published / Communicated
Approvals
Policy Management Program
Helpful Hints and Tips
• Review the policy management program yearly
• Make sure that the Business, not just IT are stakeholders and apart of the team
• Let the owners of the policy document create the policy and you provide guidance
• There are always exceptions to the statements in a policy
• Make sure that exceptions Policy Management Program
Develop an exception process
• Are tracked (for audit and review) • Have an expiration date (usually 1 year or under)
• Are reviewed regularly to determine if still valid
• Specify what it covers (no blanket exceptions)
• If you have a large number of exceptions you may have to update the policy after investigating the root cause
• Determine who will grant the exception
up on it Under no circumstances willand therefollow be an exception to my policy unless you cannot do what the policy requires you to do
What policy document(s) do not require exception statements? • • • •
Policy Standard Process / Procedure Guideline
What policy document(s) do not require exception or penalty statements? • • • •
Policy Standard Process / Procedure Guideline
Process and Procedure documents do not usually have exception or penalty statements spelled out. Guidelines do not have them because a Guideline is not enforceable.
1.00.000 Information Security Policy
1.01.000 Security incident policy
Policy Management Program Develop naming criteria and policy structures • Choose a naming convention for policies and a structure for grouping policy documents together
1.02.000 Mobile Computing Policy
1.03.001 Acceptable Use Standard
1.03.002 Acceptable Use Guideline
1.02.001 Mobile device standard
1.02.001.A Installing Good on a Mobile device Process
1.00.000 Information Security Policy 1.01.000 Security incident policy 1.02.000 Mobile Computing Policy 1.02.001 Mobile device standard 1.03.001 Acceptable Use Standard 1.03.002 Acceptable Use Guideline
• Use as many avenues that you have: Policy Management Program Communication methods for policy documents
• Include
• Newsletters • Emails • Articles • Team meetings • Brochures
•
FAQs
• Webinars
•
Guidelines
•
Hints and tips
• Web and SharePoint pages
For Users
Policy Management Program Displaying policy documents
Acceptable Use Policy Password Policy Data Classification Policy Confidential Data Policy Guest Access Policy Retention Policy Physical Security Policy
• Current methods for displaying policies is
For Users
to make it user friendly by •
Grouping the policies or the policy statements together based on the audience
•
For example: policies related to technology may be put together in its own web page or repository
•
Likewise, user documents may be stored together.
• One of the new trends is to create user
friendly documents that read like articles and offer a link to the underlying policy document
Old method
New method
How to use my devices at work How to create and maintain my Password How to classify my documents and emails How to handle confidential information How long should I keep my documents? How to get my Guest access to our area How to make my work area more secure
1. General Information 1.1 Name of document 1.2 Owner
Policy Management Program Create policy templates • What are the sections of the policy documents?
• Can any of the sections be
omitted, reordered or added without approval?
• What can you enforce?
2. Overview 3. Purpose 4. Scope 4.1 Audience 4.2 Related documents 5. Definitions 6. Statements or body of the document 7. Enforcement (not in a process /procedure or guideline) 8. Revision History
Guidance for Policy documents and statements • • • • • • • •
Avoid mixing the different types of statements into one document Keep policy documents to under 5 pages (exception: process / procedure documents) Group similar statements together Avoid duplicating sentences in different policies Make sure that guidance documents are clearly marked (audit) Have only one repository for key policy documents Review them, update them and communicate them regularly Policy, Standard, Process and Procedure statements must be measurable, and not open to interpretation (can you create a KPI from the statement?) and easy to understand (based on the audience)
Did you know that Guidelines can be called guiding principles, guidance, additional information, etc.?
• You need to determine how a policy Policy Management Program Create a retirement and retention process
will be removed from active to retirement or how to retain a retired version
• Things to consider: • Retired policy documents may be used by • Legal for litigation, settlements, etc.
• HR for disciplinary actions justification, etc.
• Where will the retired policy document be stored?
• How do you communicate retirement of the policy document?
It does matter what you call them, but many companies start with these policies
Acceptable Use Policy Backup Policy Incident Response Policy Virtual Private Network (VPN) Policy
• It takes about 3 – 9 months to publish
Wireless Policy
List of Possible IS Policies
a policy
• Many policy documents are put on
hold or never published. Make sure to document those also.
Network Security Policy Confidential Data Policy Mobile Device Policy Outsourcing Policy
Password Policy Network Access Policy Remote Access Policy Guest Access Policy Third Party Connection Policy Encryption Policy Data Classification Policy Retention Policy Physical Security Policy
Summary You should know:
• The difference between policy documents • The components of a formal policy management program
Questions??? Need more information: Marcia Mangold, CISSP Marcia.mangold@gmail.com