May 24, 2021
In our March newsletter we discussed the role of IT Policies and Procedures in the IT environment and stepped through the importance of clearly defining terms such as policy, procedure, standard etc.
A common challenge, often encountered by organisations when drafting and reviewing a policy, is the use of wording that clearly reflects the policy’s intent and follows best practice.
Words such as “Must” or “Shall” show an absolute intent to meet a requirement, as do the words “Must not” or “Shall not”.
Whereas the use of words such as “Should” or “May” is less prescriptive, they could be deemed softer words that imply there may be some choice as to how a requirement is met.
Often the security posture of an organisation may dictate that it is not in a position to completely satisfy the requirements to fully comply with key IT security standards or best practice guidance.
During our policy workshops we assist organisations to determine how their IT security policies should be worded, taking into account the reality of their security posture.
As an outcome of these discussions the participants typically choose to either –
Where full or partial compliance to a standard (or best practice) is not currently achievable – but is something to be attained or aspired to in the future – then removing statements is an option.
However, as an alternative to statement removal we recommend making the statement(s) less prescriptive by softening the wording. If a less prescriptive wording change is the chosen option, it’s a good idea to create an action item with a realistic timeframe to address the matter, which when completed will see the policy wording updated.
Developing effective IT security policies to protect systems, data, and users requires a considerable amount of discussion and input from multiple stakeholders. IT Policy Management as a Service makes this process very efficient as it allows an organisation to call upon our subject matter experts to guide them through decisions such as: