Policy writing, especially in cybersecurity, can be a lot of work. With so much information, where do you start when creating policies and procedures for your organization?
Marcia Mangold, Information Security Manager for GRC at Emergent Holdings and a SecureWorld Advisory Council member, says a framework can be a great place to begin if you're new to policy writing or building a new document from the ground up.
"If you are someone who's doing this [creating policies] manually, and you don't have a team to help you, then right here is a great place to start," Mangold said about using a framework to build cybersecurity policies.
At SecureWorld Great Lakes virtual conference, she demonstrated the ease of working with HITRUST's Cybersecurity Framework (CSF), which can be downloaded for free and offers 14 control categories, including 13 for security and one for privacy. However, the tips she provided are not exclusive to working with HITRUST's framework.
No matter how long you have been in cybersecurity or which program you use, frameworks have many perks to offer for policy drafting.
Benefits of using a cybersecurity framework for policy creation
Policy created from a framework can get everyone—including executive-level management—on the same page.
"A framework provides the rules and guidance. Also, they give you that roadmap that you need and also credibility with the stakeholders and your supporters."
Outlining your policies also guides the security and IT teams and helps tremendously when audit season rolls around.
"One of the most important reasons that you want to make sure you have documented your policies, your processes, and your standards, is because that lets you know what you need to do, if you're doing what you say you're doing, and how to get that roadmap to the future of what you need to do."
Here are a few tips from Mangold to keep in mind as you start building or updating your policies and procedures.
Best practices for cybersecurity policy creation
1. Look to leadership to give you direction
Imagine going to the trouble to write a policy, then leadership does not approve it. Mangold says the business leadership should be included in the process or you might be wasting bandwidth:
"Remember, leadership has to say that we're going to do this, it has to be adopted by the business. Otherwise, you're just writing a piece of paper that no one is going to follow."
2. Use one-sided language to avoid confusion
When writing policy, Mangold recommends avoiding two-sided words because they often add confusion when the team is completing tasks. During her SecureWorld presentation, Mangold shared this example.
"Consider two-sided words—could, can, should, may—those types of words. If you put them into a policy or standard, then it's no longer a policy or standard because it gives a person a choice. 'You could go in the house, or you could stay outside?' It should be either you want them to go in the house or you don't want them to go in the house. Otherwise, they can argue that whatever rule you put in place, is unfair, because you gave me a choice."
3. Rethink writing more than five pages
Most people will find it difficult to be bogged down in pages upon pages of policy. Mangold's rule of thumb is that more than five pages could be too much, depending on the scenario.
"If you find that for a policy that you're going over five pages, you probably want to break it into another policy because otherwise, you're covering too many subjects or topics in there."
4. Update your policies yearly
We know that cybersecurity is a journey, not a destination. That's why Mangold recommends updating your information security policies at least annually.
And this brings up another benefit of using a framework as the outline for your policy creation: frameworks are continuously evolving.
"If you're [using] a framework, when they [the provider] update that framework, usually they give you a document and say 'this is what's new.' That gives you a starting point. If that comes before the year is up, and I get a document saying this is what's new, now it's a chance for me to look at my policies again."