Security policies are a mandatory component of virtually every regulatory compliance program.  In addition, the provide a strong foundation for any comprehensive security program.  Unfortunately, the development of security policies is one of the more intimidating and less enjoyable aspects of information security.  If done properly, a policy framework can promote security objectives  by building security in to normal business operations.  If done poorly, security policies can get in the way of productive, create more work and/or provide no real value.  In these cases, policies often become “shelfware” doing nothing but collecting dust. 

There are many myths about policies that play a role in the lack of effective policy deployment including:

--- If we have policies, we need to comply with them but if we don’t have them, we won’t be held to any standards.

This is misguided.  Most regulations require policies, thus the lack of policies equals non-compliance.  Beyond that, standards of due care and due diligence are more often being applied to information security.  Failure to have a policy covering wireless does not mean that you will not be held accountable if your wireless network is compromised resulting in the disclosure of sensitive data.  On the other hand, good policies provide a solid framework for both compliance and security providing real benefits to the organization.

--- If we have policies, that will address our regulatory compliance requirements, even if they only fill space on a shelf. 

This is not so much wrong as incomplete.  Having policies is part of regulatory compliance and will likely result in a “pass” for some audit tests.  That said, auditors will also be testing to determine if the policies are being effectively complied with.  As a result, policies that are entirely ornamental will be discovered.

--- We can just download some policies off the internet, insert our name and we’ll be good.

Policies have to be reviewed by senior management and in some cases, boards of directors.  Once ratified, they need to be “lived with” each and every day.  Just as no two organizations are exactly the same, no two organizations can rely on exactly the same policies.  Organizations have different risk tolerance, use different technologies and have different cultures.  These result in anywhere from minor to significant changes the content, requirements and even the tone of policies.  Attempting to force fit policies is one of the best ways to stall the ratification process or wind up with a wasted policy development effort.

To help its customers overcome their policy challenges, NWN had developed approach to rapid policy development that can get a full suite of custom policies in place in extremely short timeframes.  The traditional approach to consultative policy development revolves around spending weeks or even months collecting information about what the policies should say.  With sufficient information collected, the consultant will draft policies and turn them over to the client for review.  In most cases, the policies are “close” but require some modification.  A feedback/modification cycle begins until the policies are ready to present for ratification.  The ratifying body often had additional feedback requiring more changes.  The cycle continues, in many cases, for months.

NWN’s approach to policy development seeks to decrease this time significantly.  NWN does not spend weeks or months collecting information about what the policies should say.  If the client knew what they wanted in the policies, they would likely have written them.  Instead, NWN focuses on understanding the overall business, key technologies, the organization’s tolerance for risk and the required tone of the policies.  NWN then drafts a full suite of policies with little or no feedback from the client.  This creates a first draft of policy documents that is around 80% acceptable rather than the 90% to 95% acceptability of the traditional method.  This may seem significant but NWN has found that the process of collecting feedback and making change to an 80% document isn’t significantly more difficult than doing so for a 95% complete document thus the policy development process is sped up by weeks.