Policies & Procedures: The Rules of the Road
Anywhere that there is a perceived risk, organisations help to mitigate these risks by developing suitable rules (Policies) and teaching them the ways to comply with these rules (Procedures), for example:
The Green Cross Code - Helping children to safely cross a road.
Cycling Proficiency - Helping children to be cycle safely.
Manual Handling - Helping employees to understand the safe way to lift heavy objects.
The Highway Code - Guidance for operating vehicles safely on the roads (non-adherence resulting in a warning, a report or disciplinary), which a minimum level of proficiency being needed for a driver to be allowed to drive 'solo'.
Cash Handling - Rules established which detail how monies must be handled.
Weapon Handling - Regular training applied to all military personnel, who are required to handle weapons.
Okay, so given the changing nature and threats to the information handled within a business, why is it then that there appears to be an apparent apathy and under value for effective policies and procedures, or time dedicated to carry out initial/refresher training on the content relevant to employee roles?
In respect to driving, ignorance of the Highway Code is no excuse and as a result if you are caught driving in excessive of statutory speed limit, you can expect that disciplinary action may be taken against you.
Within business the lack of investment appears to be a result of organisations putting the 'horse before the cart'. They are handling company sensitive or personal data long before they consider how this type of information should be safely & securely handled, stored or transmitted. This apathy leads to ignorance and complacent handling, thus leading to carelessness and accidents, resulting in a data breach. At this point, the value of bench marking themselves against an industry standard becomes more attractive - requiring documented policies or procedures. The other occasion when a company may take the initiative to introduce policies & procedures could be as the result of trying to get the 'badge on the wall' (certification), or as the result of a regulation mandate (e.g. PCI:DSS, GDPR, etc.).
As data comes in many formats (digital, hardcopy), typically involving numerous employees and technologies, and can be easily stored/copied/transferred. All of which, contributes to the need for a wealth of different rules and guidance needing to be developed.
Where do you start?
One of the easiest options is to purchase a generic suite of document templates, aligned to a specific industry standard (e.g. PCI DSS, ISO27001, etc.) and with a little bit of personalisation, you can 'tick a box' for compliance and this may certainly help to expedite the process.
However, IS Centurion recommend an alternative approach whereby you do not start by aligning to an industry standard, but take the option of beginning with the identification of the risks associated with your businesses data and processes - much like the development of the 'Highway Code' (where no previous industry standard was available for benchmarking).
Next, you draft a rule to help mitigate this risk, e.g.
A risk of mobile devices being stolen, when left unattended in motor vehicles
"All employees must ensure that mobile devices remain in their safe custody (where practicable) and if impracticable to take the item with you, the device should be securely stored out of sight of opportunist thieves (care must be taken to ensure that the storage of the device is not overseen)".
Although this does not completely eliminate the risks, it clearly articulates a rule to help mitigate this risk and is written in a clear, and concise, format that can be easily understood.
The development of a suite of rules should be done as a priority 1 for any business and will lead into the next priority - baselining for regulatory compliance. This is where you map this list of rules against any additional mandated regulatory requirements. In order to further facilitate the development of effective and 'People-Centric' policies, rather than leaving the development to your InfoSec Manager or InfoSec team why not take the radical approach of engaging your employees with a team workshop. Imagine scenario where your employees feel involved and are able to actively contribute to the identification of the risks that may impact the data that they handle. This can be as simple as an interactive InfoSec awareness workshop, where the audience are asked to write risks down on a self-adhesive notes. The audience are then divided into breakout groups, where they are asked to develop rules that will help to mitigate the risks that they have associated.
The results of which can the be grouped into hierarchies, against their relevant department responsibilities helping to align the appropriate rules to the appropriate personnel.
No doubt that there will be some traditional/senior business leaders, or the 'Old and Bold' InfoSec professionals who will balk at the thought of developing InfoSec documents in such a way. However, given that insider risks are still being reported as being the number 1 cause of data breaches, IS Centurion strongly believe that new and alternative approaches will help businesses to improve rule awareness, improve the security culture and reduce such risks.
If employees better understand the risks and are heavily involved in contributing to the development of the rules, to counter these risks, they are more likely to be supportive of the rules and less likely to break the rules and will be more likely to report infringements, or help police their peers.
Although, much like the 'Rules of the Road', there is always the chance of having the odd individual who knows better or who believe that the rules do not apply to them.
Having a People-Centric approach to the development of your InfoSec documents better demonstrates higher-levels of psychological benefits, as shown in Maslow's Hierarchy of Need.
Any businesses wishing to reduce their insider risks and improve their security culture should consider looking into new and innovative approaches that help make InfoSec more inclusive, rather that something limited to an organisation's InfoSec specialists. Successful InfoSec integration has evolved in line with the changing digital environments and the ever-present cyber threats.