Welcome to this video on policy, standards and procedures.

Whilst everyone in the organization has a responsibility to be vigilant and adopt the right behaviours to keep the information and systems they work with secure, they require appropriate training and support to achieve this.

This video looks at the role information security policies, standards, processes and procedures play in maintaining safe systems, and the documentation required for each element.

It also looks at the need to balance system security and functionality, and the cost of implementing appropriate controls.

The Information Security Manager is responsible for defining the organization’s information security policy and standards, which then lead to the procedures and guidelines all staff must follow.

The information security policy sits at the top of the organization and acts as the guide for the processes, procedures, work instructions and technical controls created from it. There must always be traceability back to the policy requirements for every security decision.

This documentation set helps to ensure procedures are clear and staff undertake their obligations – like reporting an incident – in the specific way.

Let’s look at each of these elements in more detail.

The information security policies define the organization’s approach to information assurance.

They generally contain statements of the organization’s values, goals and objectives, and define a general outline of how these should be met.

Policies should be written at high level and not include implementation detail. For example, a policy might state that a user is responsible for the security and safety of removable media in their possession. However, it wouldn’t detail how this should be implemented; that’s the job of a process or procedure.

The policy states the organization's objectives, while the procedures how the objectives will be met. Policies and procedures are written as positive statements of intent. Codes of practice reinforce policies and procedures and are often incorporated into an Acceptable Use Policy.

An Acceptable Use Policy states the rules individuals must follow, for example:

· Which internet sites are prohibited

· How corporate email should be used

· The rules for mobile phone use, and even

· How to deal with the media

They can also provide guidelines on ethical issues like racism, sexual discrimination and harassment.

Relevant conditions of employment should also be stated in an Acceptable Use Policy, including end-user adherence to external standards and laws.

If there’s a security breach or a user isn’t following procedure, remedial action should be taken. The consequences of a policy violation should be clear to all staff in the organization.

The circumstances and impact of a security breach should be documented, and shared with relevant stakeholders in the organization, including the Information Security Manager, HR, the individual’s line manager and the relevant senior executives.

The documentation should also include the penalty for the violation which should be proportionate to the severity of the security breach. For example, a breach of the code of practice may follow a ‘three strikes and you’re out’ approach where two warnings are issued before the HR interview occurs.

Responses must always be measured and appropriate and each case should be treated individually.

An incident must be fully assessed before administering a penalty. This process must look at all the evidence to ensure the reasons are understood and identify whether it’s covered by the general policy. For example, if a member of the technical security team accessed a black-listed website as part of an on-going investigation, it would be against policy, but they wouldn’t be penalised.

As we’ve seen, procedures flow from the policies. A procedure is a detailed set of instructions that specifies how to do a specific task; for example, it might detail the steps an individual should take to log removable media with the Information Security Manager before it’s used.

Processes and individual working instructions are more detailed than procedures. They can incorporate multiple ways of following procedures for individuals in different parts of the business or in different locations. There can be many working instructions for a single procedure and multiple procedures that meet a single policy objective.

Standards are typically used to complement policies and procedures but are more prescriptive in the controls they provide. For example, stating that passwords must be at least 15 characters in length.

Standards can be developed in-house or adopted from publicly available examples. The most common information security standards are ISO/IEC 27001 and PCI-DSS. In the United States, the healthcare standard HIPAA is also adopted by organizations handling medical records.

A guideline outlines how something should be done, but it’s not mandatory; if an organization has a more effective way of doing something, they can follow their own method rather than the guidelines. An example of a guideline would be advising users how to create a memorable but secure password.

When an organization employs external contractors or suppliers, they should ensure they follow standards that are equally as rigorous as those imposed on other staff. A chain is only as strong as its weakest link; the organization is still responsible for the service delivered to their customers even if it’s provided through a third-party. Penalties for security breaches can mean huge fines or imprisonment for the responsible person.

Third parties should be audited to validate that they meet the organization’s information security policy. This could mean they present their ISO 27001 certificate to the Information Security Manager and allow compliance audits to be conducted according to a schedule set by the organizational policy. The organization might even send a team of auditors to the third-party’s site.

On the reverse side, an organization who is a supplier or contractor, should review the commissioning organization’s policies, procedures, standards and processes before they contract with them. They should also ensure their internal systems are fully compliant with the requirement.

The Information Security Manager must strike a balance between security, functionality and the cost of implementing appropriate controls. Too much security can restrict functionality and be expensive to implement; too little security can leave the organization in a high-risk situation.

Not all countermeasures and controls need to be technological. In some cases, a technical solution to counter a threat may be impossible to implement, therefore, other measures may be more appropriate. Understanding the balance between the physical, procedural and technical controls will allow the organization to manage the risks it’s exposed to effectively, within budgetary and personnel constraints.

That’s the end of this video on policies, standards and procedures.