Doing security policies right

Most sophisticated businesses have at least some form of a security policy for their organizations.  Unfortunately, all too often, those policies are inadequate, fail to comply with applicable regulatory requirements, are profoundly complex and difficult for the average employee to understand, and almost always aren’t updated in a timely manner.

In this post, I will not focus on the actual content of security policies, but on the overall approach and process of creating and deploying them.  It is in the implementation of security policies where many companies fail.  That is our focus today: ensuring policies are understandable for the “rank and file” employee and deployment of the policies throughout organizations is done in a thoughtful manner. This will increase the likelihood that security policies will actually provide the protection they are designed to provide.

Here are the top five areas to consider when creating and deploying a security policy:

1. The drafting team

All too often, the team responsible for drafting the security policy is comprised of internal and potentially external information security experts.  While those experts may be terrific at identifying and addressing security risks, they are seldom expert drafters of understandable policies.  The focus should be on crafting a document that can be easily understood by someone who is not a security professional.  That means engaging personnel who are knowledgeable about employee policies (e.g., HR professionals) in the drafting process.   Engaging a team comprised of information security experts, HR professionals, and legal and other subject-matter experts is key to developing policies for the average employee to understand.

2. Avoiding overly complex policies

The primary problem with most security policies is that they are so long and frequently so convoluted that the average employee won’t take the time to read them, or even if they invest the time, won’t understand them.   Some security policies can be as long as 70 pages with hyperlinked references to more than a dozen ancillary policies.  That’s not the type of document we can reasonably expect the average employee to read, let alone understand.  I am not saying that such a policy may not be warranted, especially given the complexity of some businesses, but what I am saying is that a lengthy security policy is not what you would want to hand out to every employee.

In cases in which a security policy simply cannot be reduced to a relatively low amount of pages, the answer is to create a secondary document that summarizes the most important points in the primary security policy.  It is that secondary policy that would then be circulated to the average employee. The use of secondary summary policies can be very effective at highlighting key points and clarifying to the average employee the risks the business is seeking to address.  The level of detail is sufficient to educate the employee regarding their obligations, but not so detailed as to inundate them with too much information.  In general, these summary policies can be rapidly created once the underlying, complete policy is drafted.

3. Drafting tips

In any event, whether in the underlying, complete policy or the secondary policy, some basic drafting tips should be followed:

• Ensure all key terms are clearly defined.
• Avoid interlocking definitions, where one definition ties to another definition, which in turn ties to yet another definition.
• Avoid excessive use of acronyms, particularly in any secondary policy.
• Consider including summary paragraphs at the top of important sections.
• For key concepts, replace lengthy blocks of text with bullet points or checklists.
• Always strive to write in plain English.

4. Deployment

Once an appropriate, understandable policy is written, the standard approach is to provide employees with a copy and require them to sign an acknowledgement that they have received and read the policy.  While this is helpful from a legal perspective, it unlikely ensures the employee actually understood what was written and almost never results in any increased security protection for the company.  This brings us to the topics discussed in my earlier blog entries:  conducting employee education regarding security is absolutely critical.   In particular, mandatory new hire training, ongoing security awareness training and exit interviews should be the norm.  Security bulletins should be circulated on a regular basis to highlight new threats and risks (e.g., the use of wireless networks, removable media and employee camera phones).

A recent survey conducted by an industry trade publication found that 10 percent of companies never conduct training and only eight percent conduct quarterly training.  The survey showed most businesses conduct training annually or on a completely ad hoc basis.  Something more structured must be done to more effectively manage security.

5. Enforcement

Distribution of the policy and training should be followed by enforcement.  This means monitoring employee compliance and, when necessary, taking appropriate action to address infractions.  An initial, minor infraction may only warrant remedial education and a warning.  Substantial or repeated infractions may mean disciplinary action, up to and including termination.  Employees should also understand breaches may subject them to personal civil and criminal liability.  The point is not to threaten employees, but to make it clear that infractions will result in very real consequences, including the loss of their job.

By following the suggestions above, businesses can draft more effective and understandable security policies.  Without these measures, most policies will go unread, and worse, the policies won’t contribute to overall mitigation of risk in businesses.

[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]