The False Economy of Neglecting IT Policy Management

Steve Macmillan

Hardly a week goes by without a cyber security incident being reported either nationally or internationally. The recent WannaCry ransomware outbreak is a highly reported example of an international cyber threat with global consequences both financially and operationally that caused many organisations to assess their immediate vulnerabilities and risk profile. Wannacry has been quickly followed by the release of a similar piece of ransomware named Petya. These new threats have been giving many people sleepless nights and put a massive strain on resources to ensure that systems and data are not impacted. For the many organisations that have been impacted an expensive clean up exercise to restore systems and data has been a very unfortunate outcome.

Whilst it is important to always re-assess your processes, procedures and technology controls to mitigate against the above risk and threats, it’s increasingly important not to overlook the role your people play in security risk management and exposure. For many organisations ransomware outbreaks ratchet up the pressure on the short term operational front and make it very challenging for an already resource constrained team to maintain any consistent focus on developing strategic and proactive initiatives that drive programmatic IT security improvement for the long term.

The uncomfortable truth is that Human Factors are often ultimately the weakest link in these situations and organisations who should readily be able to demonstrate a degree of security maturity are actually very exposed.

The best place to start demonstrating your security maturity is by building a solid foundation of comprehensive IT Policies, to help establish a common standard for operational system use which also sets a solid foundation for effective control of risk as part of your Security Maturity Model.

By creating this organisational “IT highway code of conduct” users know the guidelines and rules of operation, minimising accidental data breaches and unnecessary security risks. The main objective of your information security policies is therefore to protect corporate systems and maintain data confidentiality, integrity and availability.

As IT policy management subject matter experts, Protocol Policy Systems regularly gains insights from organisations into some of the motivations and challenges associated with creating, publishing and maintaining good IT policies.

In talking with Senior Executives and their teams about the need to have good IT Policy in place, we highlight the 7 key motives below.

  • Endorse the commitment of the CEO and senior management in protecting valuable information assets – increasing stakeholder confidence in the organisation
  • Enable the organisation to meet their legislative requirements – operating to required minimum standards such as PCI-DSS, ISO27001/2, PSN and other directives
  • Help protect the assets of the business – such as infrastructure, corporate information and the users of systems
  • Provide the IT security framework for an organisation – building a Security Maturity Model for continued security improvement
  • Provide a uniform level of control and consistent guidelines for management – which helps support disciplinary procedures the cases of intentional misuse of system and breaches
  • Communicate one computer security message to all
  • Advise staff about computer security and about their responsibilities

Generally we get agreement that these points make good sense. One might assume thereafter developing and delivering IT Policies is a straightforward exercise for any organisation. The reality is unfortunately very different. We’ve highlighted below the main challenges organisations face in creating, publishing and maintaining IT policies and how a different approach may be more effective.

The Executive Sponsorship Challenge

Whilst CIO’s and IT Managers understand the importance and associated risks of not having established comprehensive and up-to-date IT policies that all users of corporate information and systems can access, it remains a challenge to raise the profile of policy management across the Executive team and attain the right level of priority, attention and investment required for effective implementation.

Canvassing Executive sponsorship should incorporate discussion around risk and the value of establishing comprehensive IT policies that are relevant and tailored to an organisation.

When done correctly IT policy management can be part of an enabling culture for the workforce, and is as much about protecting the people assets, as well at the information assets of any organisation.

Having comprehensive IT policy management practices in place demonstrates good information governance upon which procedures, processes and informed technology investments can be made.

So whilst CEO’s and CIO’s will agree in principal that IT policy management is very much required for their organisation they often struggle to reconcile the time, cost and effort to get the job done in house. Factors that contribute to this stance include lack of expert knowledge of policies, making policies relevant whilst demonstrating compliance legislation and standards, delivering policy in a simple easy to understand format for the various user levels through to the ongoing maintenance of the IT policy library to assist with audits and compliance.

The Subject Matter Knowledge Challenge

What’s the next stage once your Executive team agrees that IT policy management needs to be given some attention? Typically, you’ll look within your organisation for a suitable candidate to allocate this project to.

Unless you are fortunate to have employed an IT policy subject matter expert with lots of available time it’s more likely you’ll be tempted to allocate to another member of the IT team who may be tasked to slot it into to their existing workload. If this is the case, it won’t just be the effort and time to create policies that need to be factored into the project but the time and cost of gaining the expert knowledge to create relevant and effective IT policies.

You should also factor in the need to keep your policy author’s knowledge current so that policies are always updated and relevant. Consider a knowledge share and transfer plan in the event your “internal expert” is no longer available to maintain your policies.

The Best Practice, Standards and Legislation Challenge

An extra consideration when establishing your IT policies is your organisations governance, compliance and legislative requirements.

For example, within the UK public sector there may be a need to comply with Public Sector Network (PSN) requirements and undergo an audit exercise periodically. A similar approach is driven by the Payment Card Industry – Data Security Standard (PCI-DSS) which will be applicable to any public and private organisation processing card payments.

Many organisation build their comprehensive IT policies based on ISO27002, the industry standard for best practice for information security and the ISO22313 Business Continuity Standard. These standards provide an excellent foundation upon which organisations can start to demonstrate good information governance.

From a legislative perspective there is a pressing need for organisations to develop and deliver policy that meets the requirements of the EU General Data Protection Regulation (GDPR) which comes into effect May 2018.

As these standards and legislation continue to evolve your policy content may need to be updated. Your IT policy management expert needs to keep on top of the changes and update policies accordingly where applicable to maintain compliance and meet audit requirements.

Finding the Time

Given the above challenges it’s easy to see that IT policy management requires effort, expert knowledge and considerable time allocated to its development.

Often there is a catalyst around establishing or updating IT policies within an organisation which could trigger a “Big Bang” approach after a long period, possibly even after several years. This could be because of a security incident occurring such as the recent WannaCry event, the associated risk of fine or a pending compliance and governance audit, such as ISO27002, PCI-DSS, PSN, which highlights either the absence of IT policies or that the documented guidance content is outdated.

When the “Big Bang” happens the policy management lifecycle for creation or updating often takes several months presenting an added challenge to find suitable skilled resource to prioritise IT policy management whilst managing pending risks and any corporate reputation damage.

In instances where ”someone” has been compelled to make some “ad hoc” change or edits to keep content current,  when reviewing the content it becomes evident that process and procedural elements have “appeared” in the policy statements suggesting “the someone” is not trained in writing policy. Cross referencing to relevant Standards in the content such ISO or PCI is also often limited or non-existent.

Make IT Policies easy to find and build awareness

Despite organisations having spent anything up to 2 years creating IT policies to meet corporate objectives around information security, risk management, regulatory and auditing requirements, IT policies are initially filed away at HQ and rarely seen or used. No “visibility” results in no accountability, compliance and/or no adherence to your desired IT Highway Code of Conduct. This is further compounded if the organisation is geographically dispersed or de-centralised.

Once the Policies are in place and your IT Highway Code of Conduct is published and visible, specialists can then assist the organisation to socialise policies and deliver an education and awareness program. This will help embed the desired common guidelines and rules of operation and help minimise accidental data breaches and unnecessary security risks.

Request an IT Policy Management Cost Calculation

Partnering with a specialist IT policy organisation could reduce your investment in establishing and maintaining an IT Policy Management platform by as much as 70%.

If you would like to arrange a gap analysis on your existing policy suite or wish to assess the costs you incur establishing and updating your IT Policies against our comprehensive list of 25 customised IT Policies then please contact us.

Please note all of our 25 policies are cross referenced to standards such as ISO27002, PCI-DSS and demonstrate your compliance to the Public Services Network (PSN) requirements


Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233