Writing security policy is a complicated task that should involve input from players from upper management, human resources, staff representatives, IT, physical security, legal, and marketing / public relations. In small businesses one person may take on multiple roles, but they all have to be represented in policy making. The following are the individual roles whose input should be utilized in the policy making process.
Upper Management
Policy always should start with upper management, just as business direction and goals should always start with upper management. Some things that should be addressed by policy that are of concern to upper management include employee productivity, keeping costs down and in control, and protection of company assets. While upper management may not be able to participate directly in writing policy, they should provide the requirements and goals for the written company policy.
Human Resources
Human resources needs to understand the policy in order to convey changes to existing employees, to provide feedback, future and historic, on the impact of policy changes, and to be able to update documents such as the employee handbook. They are also usually responsible for performing new hire orientation.
A human resources representative will want policy in place to prevent harassment. This almost always means web filters that prevent pornography and network protections that prevent anonymous messages from being sent to other employees. They may also be concerned about employee productivity. Human resources often times does not understand the limitations of technology in preventing issues that are management issues. For example, they would prefer that all issues could be solved by technology controls rather than their people. Confrontation, firing, and disciplinary actions are all things they would prefer to avoid if at all possible. They need to participate in policy making to ensure their concerns are heard, but also in order to understand directly from Information Technology exactly what the technical limitations of prevention methods are. HR is also interested in providing a pleasant work experience for employees. Perks such as web access at work, social media, cell phones, dress codes, flex-time, and vacation policies all make their job of hiring and retention easier.
An easy to understand example is as follows: Human resources may decide that they don’t want anyone to view pornography at work for two major reasons. First someone may be offended by it, second someone may be distracted by it and fail to perform their job. They want IT to provide controls to prevent pornography from reaching the screen of the users. There is no 100% effective way to block pornography while still providing useful access to the Internet. There is also the matter of what qualifies as pornography. Human resources needs to understand the effectiveness of controls and that written policy is required that places the responsibility for safe browsing in each employee. They need to be prepared with consequences when the policy is violated.
Staff Representation
Any time a major change is being made in a larger organization, someone not associated with the process of writing or shaping the policy should be consulted for several reasons. First is readability and understandability. If the policy is vague or unclear, this is the perfect opportunity to clean it up before putting it out. Second is for reaction. If the individual is upset or concerned about the policy, this is time to figure out what specifically is causing the angst. The wording may be too harsh or the policy too drastic of a change to be done without a strategy.
Take an example of a company that decides that employees are taking pictures with their cell phones of company proprietary processes and equipment. They decide to create a policy that requires all people to leave their personal cell phones in their cars. The company also has a policy that forbids the use of company cell phones for personal reasons, and picture taking is turned off. Protecting proprietary company processes and procedures is necessary for the long-term success of the business, however employees who are accustomed to being able to be reachable by friends and family while at work will be angry about such a change. Some employees may have quite valid reasons for being reachable during the day such as children, schools, elderly parents, or other people who might need to reach out to them for emergency purposes. These people will need time and a plan to transition away from that direct contact mode of communication. An administrative assistant, operator, or duty desk manager could be in charge of answering a phone for such cases. They would then be able to pull the individual off the floor so that contact could be made in a timely manner. In such a drastic case of policy change, having a plan that addresses immediate concerns already in place and spelled out will ease people’s minds and keep them confident that their interests are being considered. The fewer legitimate reasons people have to protest a new policy means there will be less traction for any protest.
Information Technology
Information Technology representatives need to be involved in the process from the perspective that they need to provide input on what types of employee activities are harmful to company systems. They also need to provide insight into what types of electronic controls are possible to be put on the employees. It is vital that IT be a part of the process for developing the timeline for implementation, the documentation for users, and the feasibility of certain controls that another party may want to put in place.
Physical Security
Often overlooked in a company-wide policy is the role of physical security. Network closets are easy targets if they are not secured. Server rooms, IT labs should be secured. Even computers on employees desks can walk away, or internal components such as hard drives go missing. Paperwork, blueprints, components, tools, finished product, and supplies are among the potential targets for physical removal. If there is no policy restricting what goes in and out, and there is no policy allowing searches, then this is a primary avenue for network attacks and exfiltration of data as well as any physical thing of value to the business. Policy should explain to employees that they should help keep these resources physically secure. They should be trained to recognize and report events that they see. This also helps strengthen the relationship between IT and physical security. If a network closet or server room is left open, the IT team needs to be notified about it so they can check for any compromise or loss of equipment.
Legal
Creating policy that feels right for the business is fine and good until the policy itself is challenged. Chances are that a company policy will be challenged at some point, legally or otherwise. The legal department can ensure that policy is written and enforced in ways that are standardized and defensible. If an employee is terminated for viewing pornographic materials 6 out of 8 hours per day, the legal department should make sure that the IT department, management, and HR are prepared to defend the evidence. If an employee is disciplined for stealing office supplies, it should be very clear in the policy just what the infraction and consequence was. Just because an action taken based on policy is fully justified and legal does not mean that it will not be challenged. The legal department will also insist upon disclaimers during login that describe the employee’s expected level of privacy while using company systems. The legal review should be made before a policy is implemented and at every change. In some businesses this is cost prohibitive.
Marketing / Public Relations
When a change is made that puts additional restrictions on employees, those employees can turn to social media or community friendships to complain. It is important that the message “Security is important” is the primary message being sent internally. As mentioned with the HR involvement, there is often an internal strategy that needs to be developed for major policy changes. If an organization is big enough, sometimes it may even be necessary to spread the message outside of internal channels in order to get ahead of the narrative. The last thing a business wants is a preventative proactive measure to look like a reaction to a compromise that has not been disclosed.
Wrapping it up
In many businesses the roles of these individuals may not be well defined. Smaller businesses may not want the expense of legal counsel or physical security, for example. In these cases, going to standards and frameworks for written policy is a good way to reduce the risk that their written policy is not legally enforceable. There are cases where one person may take on more than one role in this process. What is important is that the policy creation procedure is looked at from the perspective of each role, even if the entire policy is being written by only a few individuals.
Do you have concerns that your policy is up to date? Do you have concerns that some of the above perspectives were not considered when writing your policy? Chi Corporation can work closely with you to help you review and update your policy, or to create a written policy for your organization. Contact us for details at 1-800-828-0599.
Paul Comfort
Senior Systems Engineer
Chi Corporation
@PCComf
