What Makes for a Good Cyber Security Policy Framework?

Cyber policies, standards, and procedures are often a weak spot for organizations. There are a few main reasons for this:

• Lack of internal expertise:

Many teams do not have the appropriately skilled and experienced resources to develop these documents.

• Perceived cost and resource constraints:

Many organizations view the investment into developing a cyber policy framework as unjustified and believe that staff cannot be diverted from Business as Usual (BAU) activities to the seemingly onerous task of creating and maintaining such documentation.

• Reliance on informal practices:

Organizations often rely on processes that have stood the test of time, even when informal and undocumented. Undocumented processes depend on the knowledge of specific individuals, but that may not be perceived as a big problem until they leave the organization or become unavailable.

Reviewing documented cyber policies is central to my work as a cyber consultant, either in specific engagements of policy development or as part of broader cyber audits and reviews.

Over the years, I have reviewed hundreds of cyber policy sets. Out of those, how many would I classify as "good"? Whilst I do not maintain statistics, from my professional experience, I would say the answer is definitely less than one in three – maybe even less than one in four.

This article will present the case of why the points listed above should not deter organizations from developing and maintaining a high-quality, robust cyber policy framework, as the benefits far outweigh perceptions and concerns.

All too often, policies are viewed more as a box-ticking exercise to satisfy auditors and meet compliance requirements than as a necessary, useful tool to improve cyber security posture.

Why should organizations invest time and money in developing and maintaining a robust, well-documented set of policies, standards, and procedures?

1. Accountability: 

Only well-documented policies can rigorously define what needs to be complied with and establish consequences for breaching policy.

2. Repeatability of processes:

Well-documented procedures ensure that processes are repeatable and do not rely on the knowledge and experience of specific individuals.

3. Improved maturity:

It is not without reason that maturity rating scales (e.g., CMMI) consider the degree of documentation as a key criterion in assigning maturity ratings.

4. Compliance:

Even though standards and regulations (other than those that are quality-focused, such as ISO 9001) may not always have strict requirements for documentation quality, having a robust set of high-quality policies and procedures goes a long way toward demonstrating compliance. Additionally, having the relevant regulatory requirements mapped to existing documentation demonstrates good practice and facilitates the auditing process itself.

Developing and maintaining a good cyber policy framework does not come without associated costs, but these are not massive, and the benefits far outweigh the investment required.

I often encounter situations where the individuals responsible for a cyber policy framework do not feel sufficiently empowered to dictate policy that needs to be enforced in the broader business. Sometimes, they try to avoid the issue by holding and enforcing policies for IT and security audiences only.

This does not work. As any cyber security standard or framework will tell you, cyber security is everyone's responsibility and needs to be mandated from the top down.

The lack of a clear directive and endorsement from top management is to blame for the lack of empowerment felt by cyber security managers, and that problem needs to be addressed at its very root.

Another common situation is that policy authors may find themselves asking, "How can we put this in the policy when we know it is not the current practice and culture of the organisation?" Sometimes, they may try to settle for 'aspirational' requirements: using 'should' instead of 'shall' or writing documents only as guidelines instead of policies.

Again, this is not good enough; the lack of a clear mandate from the top is mainly responsible for the absence of a culture of embracing cyber security. Policies should not be watered down to make them more easily acceptable by the organization.

In any case, policies can only be enforced if two conditions are met:

1. They constitute mandatory reading for the relevant audiences
2. There are disciplinary consequences for non-compliance

I have often heard concerns that policies are too extensive and/or too technical for general staff. Of course, policies aimed at all employees should be understandable by non-technical audiences, but the minimum requirements to ensure an adequate cyber security posture cannot be overlooked or waived. You cannot make an omelette without breaking eggs.

What you and I would call a policy might be called a standard by someone else. Although the terms are sometimes used interchangeably, the most generalized understanding is that policies are high-level statements that outline the 'what' and 'why' and are aimed at broader audiences. Alternatively, standards establish specific rules or criteria to support the implementation of policies aimed at more restricted audiences (technical teams, implementers) and focus on the question of 'how' or 'how much'. 

The concept of a procedure is more universal: a set of detailed step-by-step instructions to carry out tasks in line with policies (and/or standards)—i.e., addressing the execution of the 'how'. 

Standards and procedures work together to document the existing processes. Table 1 below summarizes the differences between the different types of documents.

Although, from a compliance perspective, it may not be very relevant what the documents are called—as long as the appropriate content to meet compliance requirements is present—organizations should endeavor to be consistent in the naming and wording of their policy framework documents.

If, as is often the case, an organization does not have team members with the right skillset and expertise to develop good-quality cyber policies, they should always consider the option of procuring specialist support. 

Experienced cyber security consultants seasoned in developing robust policies for all types of organizations are well-placed to help you avoid the pitfalls and frustrations that often come with in-house development.

Standards, and especially procedures, are more specific and typically require a higher degree of internal knowledge to incorporate adequate content reflecting the organization’s actual detailed requirements and processes. However, even in this case, expert insights can be extremely valuable.

This type of consultancy service always carries an element of knowledge transfer, which enables organizations, post-development, to maintain cyber policy frameworks on their own (or with minimal support).

A good cyber policy framework is vital for organizations seeking to enhance their cyber security posture. It enables them to establish accountability, ensure repeatable processes, achieve a target cyber security maturity, and better demonstrate compliance with applicable standards and regulations. 

If your organization does not yet have a robust set of high-quality cyber policies, standards, and procedures, I strongly recommend that you take the first step by selecting and engaging with a trusted, specialist third-party.