Creating policies is a major part of Cybersecurity Program Management. There should be a structured plan and process for policy creation. This process should cover each of the steps on how to create and write the policies, from the initial requirements gathering through the review and approval.
Cybersecurity Policy Creation
A Cybersecurity Policy should be created to address each major control body for the cybersecurity framework(s) followed or regulatory requirement(s) that must be adhered to. Having a formal policy solidifies that the organization follows specific rules and processes which are required by auditors to show evidence of governance and compliance.
It is important to understand the order of operations that lead to policy creation. Prior to creating the policy, there must be a purpose and scope determined. In order to build the policy, there must already be accurate and up-to-date documentation, standards, and procedures based on the control that is being addressed. The content from those documents will be used to feed the body of the policy. Many organizations mistakenly attempt to create a policy first before having implemented the control the policy covers.
Policy formatting can be designed to meet your organization's preferences. There are no set rules on what a policy looks like as long as it includes all the key information that is expected to be addressed as part of the framework, best practice and/or regulatory requirement that the policy is based on.
The common core components of a formal written policy include:
Cover Page - includes the title, date last updated, current version, company name
Table of Contents - important to include for quick and easy navigation
Policy Summary - brief high-level description of the policy content
Policy Purpose/Objective - concise description of the specific goals/objectives that the policy addresses, including any major law or regulation that it satisfies
Policy Scope - who and what the policy applies to
Policy Content / Body - the content of each security control that is covered
Policy Enforcement - how the policy is distributed and enforced by the organization
References - any resource that is mentioned or used to support the policy including frameworks, whitepapers, regulatory documents, etc.
Version History - all versions should be tracked including the date it was modified, reviewed and approved and by who
Here is a list of the most important recommendations on how to create and write the policy:
Write the content as short and concise as possible. This helps users read and review the policy much faster. It also makes updating the policy much easier.
Write the content as simply and straightforward as possible. You don't want to fill the document with excessive technical jargon and complicated or confusing language. You want this to be as easy as possible to understand while ensuring each key point is addressed.
Avoid duplicating sections and language. If necessary, make a reference to another section rather than duplicating the information. You don't want to have to update something multiple times in different places.
Make sure the policy is reviewed and distributed to all departments and business units that are impacted by the content and commitments that are made. Anyone directly impacted should be aware of this before the policy goes "live" and they should have the opportunity to provide input and share feedback.
Use a consistent format and structure with all company policies.
Separate policies by major control groups or security categories rather than creating one massive policy conglomeration. This makes it much easier to manage, review, and update.
Form a policy committee that contributes content, recommendations, and feedback on policy drafts and updates.
Get different perspectives on the content and commitments made in the document. This should include legal, compliance, HR and other departments, not just IT and Security.
Ensure the policy approver is different from who wrote/created the policy and the approve should be part of senior management.
Make sure notifications are provided to impacted staff when a policy is released or updated.
Policies should be stored in an organized, easy to find and easy to access manner.
Avoid cluttering the policy with diagrams, pictures, or additional reference information. These can be included in separate appendix sections at the end or included as a reference to the knowledgebase, file share or other destination.
Use version and change tracking in the policy document.
Only use templates from reliable and trustworthy sources to ensure they are legitimate, accurate and contain current information.
Avoid relying on templates and just copying in the company name without thoroughly reviewing, customizing and updating the policy to ensure it reflects your company goals, requirements and information.
Keep an eye out for a follow up article covering Policy Management in the near future.
See our list of references below
Review these sources for more information
What is a security policy? - TechTarget https://www.techtarget.com/searchsecurity/definition/security-policy
Security Policy Template - SANS https://www.sans.org/information-security-policy/
Policy Template Guide - CIS Center for Internet Security https://www.cisecurity.org/-/jssmedia/Project/cisecurity/cisecurity/data/media/files/uploads/2021/11/NIST-Cybersecurity-Framework-Policy-Template-Guide-v2111Online.pdf
CIS Controls Version 8 (2021) https://www.cisecurity.org/controls