July 11, 2019

Policy Upkeep – WST

How is your sea of policies?  Policies are necessary… and sometimes a confusing, boring chore to maintain and update.  The following can help reduce the burden of training and increase the comprehension and management of your policies:

  1. Target: All policies should have a defined audience and the policy should be addressed to that audience.  For example: Passwords can be covered in two policies, one directed at the end users that would detail how the end users are to manage their passwords, and the second directed at IT staff on how the institution implements password requirements.  This keeps the end users from having to read policy that does not affect them or is not in their control.
  2. Consolidate: You can reduce the number of overall polices by combining all policies directed at specific audiences or that have similar content.  This makes policy management and training much easier.  For example, by combining all policies directed at end users into an Acceptable Use Policy, and all IT related policies in an Information Technology Security policy.
  3. Supersede: If your policy has language in it that no longer applies, get rid of it.  Writing replacement policies is sometimes easier than trying to keep an old policy alive.  This will keep the audience from having to read and train on obsolete policies.  For example, that “Micro Computer Processing Policy” drafted in 1992 still addressing floppy drives should be superseded (retired) by other policies.
  4. Keep them Simple: Complex documents can be harder to read and absorb, so reduce the amount of verbiage in the policy and use simple terms.  Additionally, avoid specifically naming vendors or products you use in policy.  If your policy says that you use “SuperAV by Davesoft for antivirus on all desktops” and you switched to “Virus Killer Elite” two years ago, well, your policy is wrong – Your auditor or examiner might ask “what else is incorrect” and go digging.  Consider a more generic statement such as “All desktops and servers will be protected with an antivirus client with current definitions” instead.
  5. Keep them Together:  Store policies in the same place electronically so they are easier to manage and access.

Past Weekly Security Tips – WST