I’m helping one of my clients with updating their information security and privacy policies, aligning them with ISO 27002, and creating new policies to fill gaps as necessary based upon the organization’s risks. I was speaking with the CISO this week and he made a statement that I’ve heard many times over the years that really is a blockade to advancing information security within most organizations.
“I wish when the CEO rejects a policy he would tell me why. I know he’s short on time, but it would help me do my job so much better if he’d just explain why.”
Does this sound familiar?
I know many CISOs, CPOs and other information security and privacy leaders are also guilty of just saying “NO,” without providing an explanation for why they came to that decision, whenever personnel ask for policy exceptions, ask to use new technologies, and so on.
You will not be as effective as you can be if you just tell your coworkers “no” in response to request. If you want to foster a cooperative and productive business atmosphere you should always explain why you have come to that decision, even if it does take you a little more time to provide the explanation. In the long run this explanation, and resulting understanding on the behalf of your requestor, will save you time by having better compliance and less overall ongoing questions for the same topic.
I know most of you think this should go without saying, but the reality is that most organizations don’t provide an explanation for each policy, or the explanation provided is really lousy, such as, “Because the law requires us” or “Because the CEO says so.”
No kidding…I’ve see both of these more than once.
Have you told this to any of your personnel?
The format of information security and privacy policies in most organizations do not typically allow for such explanation, or purpose. However, it is important to achieving buy-in, cooperation and understanding from your personnel to have this documented for them to reference. Such documentation is also critical and valuable for audits and regulatory oversight reviews.
I recommend if you do not have a section within your policy document, that you include a link that goes to a document that contains this information.
Most explanations justifying the need for information security and privacy policies should include at least the following three elements:
* The laws and regulations that require such policies. Explicitly name the laws/regulations, such as, “The Health Insurance Portability and Accountability Act (HIPAA) requires our organization to have safeguards in place to…(provide information related to the policy).”
* The threats to your organization that require such policies. Describe the threats that having the policies will mitigate. For example, “Because of the very large amount of malicious code, such as viruses, worms and Trojans, that can be attached to email messages, we require that all email messages be scanned for this malicious code to help prevent business disruption, damage to information, and…”
* The vulnerabilities within your organization that require such policies. Describe the inherent vulnerabilities within your organization that having the policies will help to address. For example, “Because it is so easy to lose handheld computing devices we must…”
Within your explanations provide links to definitions of terms, such as “virus,” “worm,” and “Trojan,” that your personnel may not be familiar with.
Very importantly, do not write your explanations, or policies either for that matter, in techo-babble gobbledy-gook verbiage! Write in such a way that all levels of your staff, from the CEO down the entire org chart, can understand.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, privacy policy, risk management, security awareness, security training