Policy compliance within the information security space can be an exhausting concept to wrap our heads around. Writing a policy document, publishing it to staff and then staying hands-on to ensure it is followed in perpetuity is easily seen as an arduous, if not an impossible, task. Policies set the basis for every successful information security initiative. As governance is about setting direction for the business, policies are how we provide centralized management for the expectations of the organization. Without policy, it is difficult for a business as a whole to adhere to specific regulations or to be protected from security gaps. Though obtaining policy compliance can be interpreted as a daunting endeavor, this function is the foundation of all successful information security programs. Four components are necessary to ensure that your policy is implemented successfully throughout your business: transparency, alignment, sponsorship and accountability. Simple is the name of the game here. Utilizing these four components are intended to make the policy compliance process much easier and more straightforward.
Be clear with communication
Why are you asking your colleagues to review and acknowledge yet another policy document? Though it may be clear to us as information security professionals, we need to be sure that we communicate the purpose of this new policy when requesting that staff review and acknowledge it. Being explicit removes a barrier to compliance because it allows those within the organization to fully understand the intent of the policy and their subsequent responsibility to it. As policy executors, it is our duty to clearly communicate the reason for the policy to our fellow staff and to be fully transparent on why it is being implemented within the organization. Don’t forget to keep your purpose explanation simple and to the point!
Get buy in early from leadership
Be strategic by getting early support from management and the executive team. Sponsorship from the appropriate parties is critical for the success of new policies and perpetual compliance from the organization as a whole. If we are unable to obtain buy-in from the decision makers within our organizations, such as management or the board, it will be impossible for our colleagues to get behind the new policy. Communicate the value of the policy early on in the development process by aligning with the company risk register. Demonstrating that your policy will positively address or mitigate an item on the risk register serves as great leverage for gaining early support from key decision makers.
Evaluate your security culture
Begin by evaluating your cybersecurity culture. How do your colleagues prefer to be contacted? We are more likely to obtain policy compliance if we can meet our coworkers halfway and distribute the new procedure in a way that is easy for them to receive it. Some companies make ample use of a Learning Management System (LMS) for distribution. Others transmit the message of a new policy through email. Taking the temperature of your security culture will allow you to identify how fellow employees are most likely to notice a new policy change and therefore be comfortable following it.
Establish accountability
Identify one individual (and one individual only) to be accountable for follow through on the policy. While delegating responsibility of policy compliance to a group or team may seem like a reasonable decision, it can easily lead to gaps. When more than one individual is responsible for the overall success of a policy, it can cause tasks to fall through the cracks and key results will not be achieved. Compliance objectives are less likely to be met if we delegate accountability to a group instead of one individual since clear roles and responsibilities will be too loose. Designate one information security professional within your organization to be responsible for policy compliance and schedule regular (and actionable) metrics to measure policy response over a defined period of time. One effective metric is to identify the percentage of staff who have reviewed and acknowledged the policy within the first quarter of its publication. Another enlightening measurement is to calculate the number of policies that exist within your organization. This number will typically indicate whether or not colleagues require more guidance on their compliance expectations or if the sheer number of documents requiring review has become overwhelming for the employee population. Implementing a new policy and having it followed doesn’t need to be laborious and taxing for the security group. As information security professionals, we tend to make things more difficult than needed, including the concept of policy implementation and compliance. Keeping it simple by being transparent, aligning with the security culture, getting early sponsorship and establishing accountability do not have to be arduous to be effective. Take this as an invitation to keep the compliance process simpler when you implement and distribute your next policy document!
About the Author: Keavy Murphy is passionate about cybersecurity, especially for new and emerging companies, and prioritizes the use of soft skills to effectively manage security and data privacy in parallel with business objectives. Previously, she served in information security roles within both the finance and consumer-directed healthcare fields. She enjoys writing about and researching the benefits of effective communication within the security space, and her work has most recently been published in Infosecurity Magazine. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.