• Security breaches are damaging and costly. Trying to prevent and respond to them without robust, enforceable policies makes a difficult situation even harder to handle.
• Informal, un-rationalized, ad hoc policies are ineffective because they do not explicitly outline responsibilities and compliance requirements, and they are rarely comprehensive.
• Without a strong lifecycle to keep policies up to date and easy to use, end users will ignore or work around poorly understood policies.
• Time and money is wasted dealing with preventable security issues that should be pre-emptively addressed in a comprehensive corporate security policy program.

InfoSec leaders will struggle to craft the right set of policies without knowing what the organization actually needs, such as:

• The security policies needed to safeguard infrastructure and resources.
• The scope the security policies will cover within the organization.
• The current compliance and regulatory obligations based on location and industry.

Info-Tech’s Develop and Deploy Security Policies takes a multi-faceted approach to the problem that incorporates foundational technical elements, compliance considerations, and supporting processes:

• Assess what security policies currently exist within the organization and consider additional secure policies.
• Develop a policy lifecycle that will define the needs, develop required documentation, and implement, communicate, and measure your policy program.
• Draft a set of security policies mapped to the Info-Tech framework, which incorporates multiple industry best-practice frameworks (NIST, ISO, SOC2SEC, CIS, PCI, HIPAA).

Your Challenge

This research is designed to help organizations design a program to develop and deploy security policies

• A security policy is a formal document that outlines the required behavior and security controls in place to protect corporate assets.
• The development of policy documents is an ambitious task, but the real challenge comes with communication and enforcement.
• A good security policy allows employees to know what is required of them and allows management to monitor and audit security practices against a standard policy.
• Unless the policies are effectively communicated, enforced, and updated, employees won’t know what’s required of them and will not comply with essential standards, making the policies powerless.
• Without a good policy lifecycle in place, it can be challenging to illustrate the key steps and decisions involved in creating and managing a policy.

The problem with security policies

29% Of IT workers say it's just too hard and time consuming to track and enforce.

25% Of IT workers say they don’t enforce security policies universally.

20% Of workers don’t follow company security policies all the time.

Common obstacles

The problem with security policies isn’t development; rather, it’s the communication, enforcement, and maintenance of them.

• Employees are not paying attention to policies. Awareness and understanding of what the security policy’s purpose is, how it benefits the organization, and the importance of compliance are overlooked when policies are distributed.
• Informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.
• Date breaches are still on the rise and security policies are not shaping good employee behavior or security-conscious practices.
• Adhering to security policies is rarely a priority to users as compliance often feels like an interference to daily workflow. For a lot of organizations, security policies are not having the desired effect.

Reaching an all-time high, the cost of a data breach averaged US$4.35 million in 2022. This figure represents a 2.6% increase from last year, when the average cost of a breach was US$4.24 million. The average cost has climbed 12.7% since 2020.

Actions

1. Develop policy lifecycle
2. Identify compliance requirements
3. Understand which policies need to be developed, maintained, or decommissioned

a) Security policy program lifecycle template

a) Policy template set

Actions

4. Differentiate between policies, procedures, standards, and guidelines
5. Draft policies from templates
6. Review policies, including completeness
7. Approve policies

Actions

11. Enforce policies
12. Measure policy effectiveness

a) Security policy tracking tool

a) Security policy awareness & training tool

Actions

8. Identify any changes in the regulatory and compliance environment
9. Include policy awareness in awareness and training programs
10. Disseminate policies

IT/InfoSec Benefits

• Reduces complexity within the policy creation process by using a single framework to align multiple compliance regimes.
• Introduces a roadmap to clearly educate employees on the do’s and don’ts of IT usage within the organization.
• Reduces costs and efforts related to managing IT security and other IT-related threats.

Business Benefits

• Identifies and develops security policies that are essential to your organization’s objectives.
• Integrates security into corporate culture while maximizing compliance and effectiveness of security policies.
• Reduces security policy compliance risk.

Key deliverable:

Security Policy Templates

Templates for policies that can be used to map policy statements to multiple compliance frameworks.

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

9.5 /10

$29,015

25

DIY Toolkit

Guided Implementation

Workshop

Consulting

Diagnostics and consistent frameworks used throughout all four options

Phase 1

Phase 2

Phase 3

Phase 4

Call #2: Review policy lifecycle; prioritize policy development.

Call #4: Gather feedback on policies and get approval.

Call #6: Develop policy training and awareness programs.

2.1 Customize policy templates

2.2 Gather feedback from users on policy feasibility

2.3 Submit policies to upper management for approval

3.1 Understand the need for communicating policies

3.2 Use myPolicies to automate the management of your security policies

3.3 Design, build, and implement your communications plan

3.4 Incorporate policies and processes into your training and awareness programs

4.1 Assess the state of security policies

4.2 Identify triggers for regular policy review and update

4.3 Develop an action plan to update policies

Scenario 1: You have existing policies

1. Use the Security Policy Prioritization Tool to identify any gaps between the policies you already have and those recommended based on your changing business needs.
2. As your organization undergoes changes, be sure to incorporate new requirements in the existing policies.
3. Sometimes, you may have more specific procedures for a domain’s individual security aspects instead of high-level policies.
4. Group current policies into the domains and use the policy templates to create overarching policies where there are none and improve upon existing high-level policies.

Scenario 2: You are starting from scratch

1. To get started on new policies, use the Security Policy Prioritization Tool to identify the policies Info-Tech recommends based on your business needs. See the full list of templates in the Appendix to ensure that all relevant topics are addressed.
2. Whether you’re starting from scratch or have incomplete/ad hoc policies, use Info-Tech’s policy templates to formalize and standardize security requirements for end users.

Align your security policies to the Info-Tech Security Framework by using Info-Tech’s policy templates.

• ISO 27001/27002
• COBIT
• Center for Internet Security (CIS) Critical Controls
• NIST Cybersecurity Framework
• NIST SP 800-53
• NIST SP 800-171

Info-Tech Security Framework

Defines the cycle for the security policy program and what must be done but not how to do it. Aligns the business, security program, and policies.
Addresses the “what,” “who,” “when,” and “where.”

Defines high-level overarching concepts of security within the organization, including the scope, purpose, and objectives of policies.
Addresses the high-level “what” and “why.”
Changes when business objectives change.

Defines enterprise/technology – specific, detailed guidelines on how to adhere to policies.
Addresses the “how.”
Changes when technology and processes change.

• Provides emphasis and sets direction.
• Standards, guidelines, and procedures must be developed to support an overarching policy.

Standard:

• Specifies uniform method of support for policy.
• Compliance is mandatory.
• Includes process, frameworks, methodologies, and technology.

Procedure:

• Step-by-step instructions to perform desired actions.

Guideline:

Supporting Documentation

If policies describe what needs to happen, then standards explain how it will happen.

A good example is an email policy that states that emails must be encrypted; this policy can be supported by a standard such as Transport Layer Security (TLS) encryption that specifically ensures that all email communication is encrypted for messages “in transit” from one secure email server that has TLS enabled to another.

• The tool allows you to prioritize your policies based on:
  • Importance: How relevant is this policy to organizational security?
  • Ease to implement: What is the effort, time, and resources required to write, review, approve, and distribute the policy?
  • Ease to enforce: How much effort, time, and resources are required to enforce the policy?
• Additionally, the weighting or priority of each variable of prioritization can be adjusted.

Align policies to recent security concerns. If your organization has recently experienced a breach, it may be crucial to highlight corresponding policies as immediately necessary.

Info-Tech Insight

If you have an existing policy that aligns with one of the Info-Tech recommended templates weight Ease to Implement and Ease to Enforce as HIGH (4-5). This will decrease the priority of these policies.

Download the Security Policy Prioritization Tool

Identify an executive champion who will ensure that the security program and the security policies are supported.

Security can be viewed as an interference, but the business is likely more responsive to the concepts of risk and protection because it can apply to overall business operations and a revenue-generating mandate.

Inform stakeholders of the policy initiative as security policies are only effective if they support the business requirements and user input is crucial for developing a strong security culture.

Leveraging the current security landscape can be a useful mechanism to drive policy buy-in from stakeholders.

This is key to policy acceptance; it indicates that policies are accurate, align with the business, and are to be upheld, that funds will be made available, and that all employees will be equally accountable.

1. The security policy lifecycle is an integral component of the security policy program and adds value by:
   • Setting out a roadmap to define the needs, develop required documentation, and implement, communicate ,and measure your policy program.
   • Defining roles and responsibilities for the security policy suite.
   • Aligning the business goals, security program goals, and policy objectives.
2. Review the sections within the Security Policy Lifecycle Template and delete any sections or subsections that do not apply to your organization.
   • As necessary, modify the lifecycle and receive approved sign-off by your organization’s leadership.
   • Solicit feedback from stakeholders, specifically, IT department management and business stakeholders.

Download the Security Policy Lifecycle Template