Effective Policy Development

and Implementation
Policy Development and Implementation
• How policy is developed and implemented can help or hinder its
usefulness to the organization
• Employees terminated for violating poorly designed and implemented
policies could sue their organization for wrongful termination.
• policy is only enforceable and legally defensible if it is properly designed,
developed, and implemented using a process that assures repeatable
results.
• One effective approach has six stages: development (writing and
approving), dissemination (distribution), review (reading),
comprehension (understanding), compliance (agreement), and uniform
enforcement.
For policies to be effective and legally
defensible, they must be properly:
1. Developed using industry-accepted practices, and formally
approved by management
2. Distributed using all appropriate methods
3. Read by all employees
4. Understood by all employees
5. Formally agreed to by act or affirmation
6. Uniformly applied and enforced
organization's legal counsel
• policy should be reviewed by the organization's legal counsel to
ensure it is acceptable within the limits of the law and that
implementation of the policy and its corresponding penalties would,
in fact, be defensible in the event of a legal dispute.
Developing Information Security Policy
• It is often useful to view policy development as a three-part project
1. policy is designed and written (or, in the case of an outdated policy, redesigned
and rewritten).
2. a senior manager or executive at the appropriate level and the organization's
legal counsel review and formally approve the document
3. management processes are established to perpetuate the policy within the
organization.
• Writing a policy is not always as easy as it seems.
• A clever security manager always looking for available resources
(including the Web) for examples that may be adapted to the organization
• Seldom will the manager find the perfect policy, ready to go.
Developing Information Security Policy
• Some online sites sell blank policies that you can customize to your
organization.
• In any event, it is important that the organization respect the intellectual
property of others when developing policy.
• If parts of another organization's policy are adapted, appropriate attribution
must be made.
• Most policies contain a reference section where the author may list any
policies used in the development of the current document.
• Even policies that are purchased from policy vendors or developed from a
book on writing policies may require some level of annotation or attribution.
• It is recommended that any policies adapted from outside sources are
thoroughly summarized to prevent the need for direct quotations.
 Policy Distribution
• Getting the policy document into the hands of employees can require a
substantial investment by the organization in order to be effective.
• The most common alternatives are hard copy distribution and Electronic
distribution.
• Hard copies involve either directly distributing a copy to the employee or
posting the policy in a publicly available location.
• Posting a policy on a bulletin board or other public area may be
insufficient unless another policy requires the employees to read the
bulletin board on a specified schedule (daily, weekly, etc.).
 Policy Distribution(hard copy)
• Distribution by internal or external mail may still not guarantee that the
individual receives the document.
• Unless the organization can prove that the policy actually reached the
end users, it cannot be enforced.
• Unlike in civil or criminal law, ignorance of policy. where policy is
inadequately distributed, is considered an acceptable excuse.
• Distribution of classified policies- those containing confidential internal
information- requires additional levels of controls, in the labeling of the
document, in the dissemination and storage of new policy, and in the
collection and destruction of older versions to assure the confidentiality
of the information contained within the policy documents themselves.
Policy Distribution(electronic means)
• Another common method of dissemination is by electronic means: e-mail,
newsletter, intranet, or document management systems.
• Perhaps the easiest way is to post current and archived versions of policies
on a secure intranet in HTML or PDF (Adobe Acrobat) form.
• The organization must still enable a mechanism to prove distribution, such as
an auditing log for tracking when users access the documents.
• As an alternative delivery mechanism, e-mail has advantages and
disadvantages.
• While it is easy to send a document to an employee and even track when the
employee opens the e-mail,
• e-mail tracking may not be sufficient as proof that the employee downloaded
and actually read any attached policies.
 Policy Distribution(electronic means)
• Document can get lost in an avalanche of spam, phishing attacks, or other
unwanted e-mail.
• The best method is electronic policy management software (automated
tools).
• Electronic policy management software not only assists in the distribution of
policy documents, it supports the development and assessment of
comprehension
 Policy Reading
• Barriers to employees’ reading policies can arise from literacy or
language issues.
• A surprisingly large percentage of the workforce is considered
functionally illiterate.
• Many jobs do not require literacy skills- for example, safeguarding staff,
groundskeepers, or production line workers.
• Because such workers can still pose risks to InfoSec, they must be made
familiar with the policy even if it must be read to them.
• Visually impaired employees also require additional assistance, either
through audio or large-type versions of the document.
 Policy Reading
• Multinational organizations also must deal with the
challenges of evaluating reading levels of foreign citizens.
• Simple translations of policy documents, while a
minimum requirement, require careful monitoring.
• Translation issues have long created challenges for
organizations.
Policy Comprehension
• A quote attributed to Confucius states: "Tell me and I forget; show me
and I remember; let me do and I understand:’
• In the policy arena, this means that simply making certain that a copy
of the policy gets to employees in a form they can review may not
ensure that they truly understand what the policy requires of them.
• Bloom, Mesia, and Krathwohl define comprehension as "the ability
to grasp the meaning of material. [It) may be shown ... to go one step
beyond the simple remembering of material, and represent the
lowest level of understanding.
Policy Comprehension contd.
• To be certain that employees understand the policy, the document
must be written at a reasonable reading level, with minimal technical
and management terminologies.
• The readability statistics supplied by most productivity suite
applications- such as Microsoft Word- can help determine the current
reading level of a policy.
Readability statistics (Microsoft)
 Policy Comprehension contd.
• The next step is to use some form of assessment to measure how well
employees understand the policy's underlying issues.
• Quizzes and other forms of examination can be employed to assess
quantitatively which employees understand the policy by earning a
minimum score (e.g., 70 percent), and which employees require
additional training and awareness efforts before the policy can be
enforced.
• Quizzes can be conducted in either hard copy or electronic formats.
Policy Compliance
• Policy compliance means the employee must agree to the policy.
• According to Whitman in "Security Policy: From Design to
Maintenance":
• Policies must be agreed to by act or affirmation. Agreement by act occurs
when the employee performs an action, which requires them to acknowledge
understanding of the policy, prior to use of a technology or organizational
resource.
• Only through a direct collection of a signature or the equivalent digital
alternative can the organization prove that it has obtained an agreement to
comply with the policy, which also demonstrates that the previous conditions
have been met.
Policy Compliance
• What if an employee refuses explicitly to agree to comply with
policy?
• Can the organization deny access to information that the
individual needs to do his or her job?
• Failure to agree to a policy is equal to refusing to work and thus
may be grounds for termination.
• Organizations can avoid this dilemma by incorporating policy
confirmation statements into employment contracts, annual
evaluations, or other documents necessary for the individual's
continued employment.
 Policy Enforcement
• The final component of the design and implementation of
effective policies is uniform and impartial enforcement.
• As in law enforcement, policy enforcement must be able to
withstand external scrutiny.
• Because this scrutiny may occur during legal proceedings-
for example, in a civil suit contending wrongful termination-
organizations must establish high standards of due care
with regard to policy management.
Policy Enforcement contd.
• For instance, if policy mandates that all employees wear
identification badges in a clearly visible location and select
members of management decide they are not required to
follow this policy, any actions taken against other employees
will not withstand legal challenges.
• Employee is punished, censured, or dismissed as a result of a
refusal to follow policy and is subsequently able to
demonstrate that the policies are not uniformly applied or
enforced, the organization may find itself facing punitive as
well as compensatory damages.