CISOs are often seen as the superstars of information security, but the role comes with strains and challenges which are often unavoidable, such as having to strike a perfect balance between risk mitigation and the commercial demands of the business is a difficult task.
Something which is further compounded over time as the organisation grows and matures. Sometimes spreading into multiple geographic locations, incurring evermore regulations and greater scrutiny.
It stands to reason that these difficulties can be eased early on with good policy and procedure creation and management.
But what does this really mean in reality; and what to do when the figurative horse has bolted from the stables?
The Purpose of Policies and Procedures
Policies and procedures establish guidelines to behaviour and business processes in accordance with an organisation’s strategic objectives.
Usually created in response to legal and regulatory requirements, their primary purpose should be to convey accumulated wisdom on how best to get things done in a risk-free, efficient and compliant way.
The most common type of policy or procedure you may be familiar with is an IT user acceptance policy. Which instructs new users or existing users on which actions are permitted or not permitted using assigned IT equipment.
Common Policy Pitfalls
IT user acceptance policies are not new but often end up ignored, unread or abandoned completely. Here are some of the most common policy pitfalls we have come across:
- Policies which have been written in legal language are poorly understood by users.
- Badly structured policies which are difficult to read and can contradict themselves.
- Policies which are out-of-date may have no relevance to the user reading and applying them, leading them to be ignored.
- Policies are sometimes written to comply with a regulation or standard but are never distributed to users and therefore never implemented.
- Policies are written for the sake of having a policy but no infringement of that policy is every recorded or managed appropriately.
- Management are sometimes unaware of the existence of policies; or do not review them to ensure they are aligned with the organisation's goals
These pitfalls are unfortunately very common, and occurrences which we have witnessed numerous times over the years.
So, what is the secret for effective policy management?
We have narrowed this down to six steps.
Policy excellence in six steps
Step One: Create/Review
The first thing to understand is that when creating policies, that those created purely to satisfy auditors and regulatory bodies are unlikely to improve business performance or bring about policy compliance, as they rarely change employee behaviour appropriately.
While satisfying legal departments, and looking impressive to auditors and regulators, busy employees will instantly be turned off by lengthy policy documents and those full of technical and legal jargon.
Documents must be written using language that is appropriate for the target audience and should clearly spell out the consequences of not follow that policy.
Step Two: Distribute
A second key step in the management lifecycle of any policy, is to ensure that staff are aware of relevant policies and procedures.
Organisations need to effectively distribute policies, both new and updated, in a timely and efficient manner. These need to be consistently enforced across an organisation. After all, what is the point of expending considerable effort and cost to write and approve policies, if they are not effectively distributed and read?
Step Three: Gather Consent or Acceptance
In most regulatory cases, there is a requirement for evidence of policy acceptance by the user.
Therefore a process that monitors users’ engagement and response to policies must be implemented, whether that be a simple signature or an electronic equivalent. Collection of this consent or acceptance should be appropriate to the performance of the users role.
For example, an organisation may want to ensure that a user signs up to their Information Governance policy on the first day that they start employment, whilst having up to two weeks to sign up to the Travel & Expense Policy.
A systems needs to in place to grant a user two weeks to process a particular document, after which the system should automatically force the user to process it.
Step Four: Measure Understanding
To monitor and measure staff comprehension and effectiveness of policies and associated documentation, organisations should test all or a subset of users.
This could be as simple as a post-read questionnaire.
Any areas that show weaknesses can be identified and corrected accordingly; or, if the policy is causing confusion, it can be reworded or simplified.
Step Five: Auditability
The full revision history of all policies should be maintained as well as who has read what, when, the time spent reading it, who declined a policy and why.
This record should be stored for future reference, where needing to demonstrate user acceptance; and may be stored in conjunction with test results.
Step Six: Reporting
Dashboard visibility of policy uptake compliance by geographical or functional business units helps to consolidate information and highlights exceptions.
Being able to quickly drill down for specific details in areas of poor policy compliance dramatically improves management’s ability to understand and address underlying issues.
Bringing it all together
To check the level of policy compliance that exists within your organisation you need to periodically be able to answer the following questions:
- Where are your current policies?
- Are the accessible to users?
- Who has read your current policies?
- Do users understand them?
- Are your policies being followed by everyone?
- Are your policies effectively managed?
- Are your policies current?
- Can you demonstrate any of the above answers to Auditors?
For those organisations that are serious about users reading, understanding and accepting their policies, they should consider adopting automated policy management software. This raises standards of policy compliance and provides managers with practical tools to improve policy uptake and adherence.
Ultimately, policy compliance is about ensuring everyone understands what is expected of them and how they are required to carry out their jobs according to corporate policies and procedures.
Embedding an automated policy management solution into an organisation is really the only viable way to create and sustain a culture of compliance, where people understand their responsibilities and the importance of adhering to corporate standards.
Doing so empowers people to do their jobs within an acceptable governance framework rather than constrained by a rigid set of unenforceable rules. By effectively handling the policy management lifecycle you can create a firm foundation for effective risk mitigation and governance.
Automation helps the benefits of policy compliance for The Board, line managers and the general workforce get to grips with policy compliance and puts forward a cost-efficient approach for achieving policy excellence.
Advanced Cyber Solutions partners with NETconsent for automated policy management. Everything covered in this blog and more, can be achieved using the NETconsent solution - If you would like to learn more about NETconsent, book a call with one of our solution specialists today.