Most organizations answer that question with: “examiners haven’t had any issues with them, they’re just fine.” In some cases, that may be true, but examiners have finite resources and have to pick their battles, so don’t let that be your only indicator.
Your main priority should be the create policies that are understandable, clear on expectations, easy to reference so you can find what you’re looking for, and they should be written in a way that they can grow and evolve with your organization. If you’re just writing them with the sole purpose of satisfying examiners, you’re probably missing the mark in some way.
Your policies drive your information security program, getting them right is not a luxury, it is a necessity.
Over the past few months, we’ve found ourselves in several policy re-write projects and from those, I’ve made some observations on why it’s time for financial institutions (FI) to refresh their policies and how to go about it if they choose to take it on themselves.
Why You Need a Policy Refresh
- It’s been almost 20 years since GLBA went into effect. We’ve found that over that time, policies for many financial institutions have become a collection of templates from various sources, with various authors, with various levels of detail. Because of that, topics are often covered in multiple locations of multiple documents. We’ve even found instances of conflicting policy; where 2 different documents say 2 different things about the same subject.
This leads to confusion and makes policies difficult to use.
- Many financial institution policies contain a lot of procedural wording. By that I mean that they include specific applications and how to use them. Policies aren’t supposed to be the details on how something is to be done, that’s what standards and procedures are for.
Policies need to be a high-level direction for the program; when they contain “procedural” wording they can become lengthy and require frequent updates as the environment changes.
- Lastly, we find that many policies don’t cover all the things that they should for a financial institution information security program. I’m not sure if it’s because of reason #1; and that it’s hard to keep track of what is and isn’t in policy. Or if it’s because of reason #2, and there just isn’t room with all the procedures in there.
Either way, this is the biggest issue of the 3.
What are the top 3 benefits of well-done policies?
- Well organized policies are easier to update, reference, and train on.
- Policies written at the appropriate level are more concise and require less maintenance.
- Policies written with guidance and regulatory requirements in mind from the start are more comprehensive and more effective.
How to do a Policy Refresh
If you’re thinking that it may be time to sit down and revisit your policies, we have a few recommendations that can help:
- Understand that this is a lengthy process, so plan accordingly. This can take several months to catalog what you have against what you should have and reorganize the structure of your policies. Make sure you have the right amount of runway and bandwidth to take this on.
- Prepare management and the board. We’ve often found that when you explain the “whys” outlined above, management and the board are very receptive. But still make sure you give them the heads up in advance as there will be work and involvement on their part as well.
- Create a Policy Gap Analysis. This is a checklist of what you want and need to cover including GLBA, CAT (or ACET), FFIEC, and other best practices. This gives you a framework to stay on track and justify content changes.
- Eliminate conflicts and redundancy. Conflicts can be a major issue, redundancy can be hard to manage, both are very confusing.
- Combine your policies as much as possible. This may get cringes from some of you. Trust me, when your ISP is comprised of one overarching policy organized by various components, you’ll have a better handle for what is actually in your policy. When it’s combined into one document with one central owner, it’s much easier to prevent redundancies and conflict.
- Eliminate procedural content from your policies. This may be the toughest part of the entire process for some folks because the line between the 2 can sometimes be blurry. Keep policy at a high level. Use it to make simple, pointed statements to give your program direction. From there, develop standards and procedures that take care of the details (we’ll cover this is in a separate blog post so stay tuned!).
As painful as this process may seem, it’s worth the investment. Refreshing and reorganizing your information security policies will pay dividends in the long run on improved and efficient management as well as less time spent debating redundancies, deciphering conflicting information, and having to make frequent updates.
If you don’t know where to begin, we can help get you started on the right foot by performing a Policy Gap Analysis for you. This will help you know where your current policies stand and where you need to go with them.
For more information email us at support@bedelsecurity.com and write “More info on PGA” in the subject line.
Additional Resources:
How to Create a Data Classification Policy
https://www.bedelsecurity.com/blog/how-to-create-a-data-classification-policy
Is it Time to Rethink Your Email Policy?
https://www.bedelsecurity.com/blog/time-rethink-email-policy
Free Resource: Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment
Implement Practical Policies and Processes to Improve Your Cybersecurity
https://www.bedelsecurity.com/blog/implement-practical-processes-policies-improve-security