Information Security Policy Review
Why are policies important?
When an organization first undertakes the effort of implementing an Information Security Framework or Management System, a key step is the development of policies, procedures, and standards. Every information security framework requires the development and implementation of policies. NIST SP 800-171, HIPAA, ISO 27001:2013, PCI, SOC 2 Type II and others have specific controls around these documented policies, procedures, and standards.
Specifically, the value documented policies provide encompasses two areas. First, having documented policies memorializes the intent of the organization. Having these policies documented and available to the workforce, provides a vehicle of enforcement. Second, the documenting of policies provides continuity in execution. Often, organizations rely on “tribal knowledge” when work effort materializes. Documented policies, procedures, and standards prevent unnecessary inconsistency in execution.
Policies are implemented. What are the next steps?
Once the initial policies have been developed and implemented, the periodic review cycle begins. Regulations, customer obligations, and the threat landscape change. Additionally, security incidents may force stricter controls in an organization. As a result, the security posture within these organizations evolves. For example, the frequency of phishing attacks has increased and is accelerating. Companies will implement additional controls to mitigate the risk. The result of this is an evolution of policies, procedures, and standards to tackle the risk. This should be an ongoing activity.
How often should policies be reviewed?
There is no specific interval that fits every company. However, there should be, at a minimum, an annual review of policies to determine if changes are necessary based on the factors stated above. A review and change log should be maintained, even if the policy is not updated. Having evidence of this policy review will serve the purpose of demonstrating the appropriate diligence. Additionally, policies should include a change history within each document recording the reviews or previous versions should be archived.
Who owns the policy review?
Generally, the policy review is initiated by the Information Security function. However, in some organizations, the security responsibilities may be divided among several individuals. As a best practice, each policy should have an owner, author, and approver. The policy owner should ultimately have the responsibility of initiating the review.
Any other follow up?
The revision of policies provides an excellent opportunity for internal audit. Periodically, organizations should review the content in policies, procedures, and standards and verify that the activities in these documents are being performed as prescribed and the documents truly represent the activities taking place. In other words, we do what is documented and we document what we do.