A recent IT security policies gap analysis exercise we were asked to undertake for a client highlighted how frequently policies and procedures can get confused. After finishing the analysis our report identified that the client had a selection of well written procedural documents, a small number of policy documents and then some documents that contained a combination of policy and procedural wording content.
The Role of Policies and Procedures
The distinction between a policy and procedure is often misunderstood. Both play a key part in managing a business and there is an inter relationship between both types of material.
IT Security Policies should be written to outline the objectives of your information security programme. A well written IT security policy should provide clear statements for managers and employees that give direction on what they must or must not do when interacting with systems and data. Policies should be formally reviewed, approved and supported by senior management before being released to the organisation and it’s people.
IT Procedures are meant to document “how to” complete an IT task or process and in some cases will be quite detailed and lengthy. Procedures are invaluable to ensure all important tasks that are key to the functioning of a business are completed smoothly. They work well in situations where a task might be complicated, requires consistency, entails completing documentation or is perilous if completed incorrectly.
Mixing policies with procedures makes things unclear to the reader and diminishes their effectiveness.
Getting the Structure Right
In building a house, if you get the foundations right the structure that sits atop is more likely to stay in place. Making the investment to get foundational IT Policies well written and easy to understand will set your information security programme and security culture on a solid footing.
For those who can muster up the time and money to create a full set of information security programme documentation a comprehensive suite should comprise of the following sections –
- Policy – statements of intent that guide and direct people on how they are expected to interact with organisational systems and data.
- Control Objectives – the target or ideal status that needs to be achieved to ensure that policy intent is met.
- Standards – established, finite and quantifiable requirements to be met regarding processes, actions, and configurations.
- Procedures – detail the “how to” complete an IT task or process.
- Guidelines – in place for users if/when specific standards do not apply.
Protocol Policy Systems assists organisations document and deliver the key elements of an information security programme.
Our Policy Management as a Service offering (SaaS) is subscription based and sees our experts help you deliver a comprehensive suite of policies customised to your business requirements.
Each policy is written in plain English so that it is easy to understand and is supported by an additional “explanation” drop down box. The policies are set up for 3 user types – General, Manager and Technical User.
Satisfying audit and compliance requirements is very straightforward, as all policies delivered in the system are mapped to international standards such as ISO and PCI.
Policy Management as a Service is delivered to customers at a fixed cost per annum providing up to date relevant policy content with supporting material. Knowing you have the foundations in place means your team can focus on other important or higher value security tasks.
To book an online demonstration contact Emma Tickner.
Click Here to view our walkthrough video of the IT Policy System.