Working in the information security arena for a number of years and facing various challenges along the way, I've come to recognize several key factors that must be considered in almost every situation. I've learned that you have to "Mind your P's" when trying to implement security controls. Although this set of ideas can be applied to most aspects of business, they're especially helpful in understanding the success or failure of a security program in a given organization.
This list began forming in my earliest consulting days, performing risk assessments. Our low-end engagement was referred to in-house as a "P&P"—our review of policies and procedures. The P&P was a good initial assessment to see whether an organization had laid the groundwork for a successful security program. Having set policies and procedures is crucial for any organization, for one simple reason: Without them, chaos rules, and day-to-day operations are inconsistent and ineffective. Policies and procedures clarify what the organization wants to do, why it should be done, and how to do it.
The foundation of all security is strong policies. A policy is an intent. It sets the expectations of performance as well as the standards of behavior for an organization. A policy guides decisions, provides consistency, and defines the corporate culture. To be effective, a policy must be clear and well-written, leaving little open to interpretation. The level of detail should be suitable for both the audience and the subject matter.Further, and more importantly, it MUST be embraced by senior management. Without management support there is little chance of policies being effective in any group. Finally, an unenforced policy isn't a policy at all; it's merely words on a page.
A policy is only a set of guidelines; it's implemented as a procedure. A procedure is a set of discrete steps outlined to accomplish a specific task. Procedures normally include step-by-step instructions and any useful or required forms. These instructions and forms are used to ensure compliance with all standards and policies. A procedure documents and describes the who, what, when, and how in support of the implementation of a policy:
Procedures can assume basic competency in the role of the person performing the task, but each procedure should be written in sufficient detail that the task can be accomplished by someone that has never previously performed this task. This rule ensures continuity in business operations in the event of staff attrition and turnover. Procedures generally form the "inputs" for a larger business process, which I'll discuss later.
The challenge of implementing a good security program is to find the right balance between our need for security and our natural desire for an easy path. As we seek this balance, we need to guide the organization and its people through well-defined policies and procedures. If we don't provide guidance and direction, people will fall back to easier ways of doing business (common practices).
Enterprise Solutions Pakistan strive to achieve best practices while avoiding the challenges and hurdles in technology. It should be obvious by now that this is no easy task; be prepared to adjust your expectations over time. Policies and procedures don't need to be carved in stone—they can be modified over time, and they should be. But it's clear that we need to mind all our P's when it comes to information security.