A Matter of Policy

Information security policies and procedures are rapidly becoming an important corporate issue for most companies, especially in the wake of recent world events. In Canada, the heat has been turned up in this area for over a year now, since the introduction of Bill C-6 (Personal Information Protection and Electronic Documents Act)*, which in essence mandates organizations to be both responsible and accountable for personal information in their care.

As the CIO, if you haven’t been given the responsibility already, there’s a good chance you will soon be asked to develop a set of information security policies and procedures for the entire organization.

If you’ve already undertaken this task then you already know how quickly the scope of such policies and procedures can grow. If you have not been given the responsibility yet, then don’t panic. A good understanding of what’s involved, along with careful planning and organization, are the most important keys to helping you tackle the job successfully.

Policies vs. Procedures

Before trying to decide where to start with the development of your policies and procedures, it is important to have a basic understanding of the difference between the two.

Information security policies are generally short, and static in their form. They describe ‘what’ should and should not be done in security, not ‘how’.

Information security policies tend to

be viewed as foundational and in most cases need to be approved by other corporate level management. They are usually brought before the board for approval.

Information security procedures describe ‘how’ corporate security should be implemented. Procedures are used to implement policies, and are composed of processes. These processes are itemized step by step, and the method of completing a specific task is then standardized. As well, information security procedures tend to be viewed as dynamic, continually being changed and improved. Procedures usually do not need approval beyond the level of the CIO.

As an example of the difference between policies and procedures, think of mail server backups. Policy might state that backups of the mail server are to be preformed daily. This policy is relatively static and it is doubtful that it will change. It is the procedure that will show, step by step, how and when the backup is to be preformed. The procedure can be readily changed depending on the organizational needs at any given point in time.

Who Is Involved?

Information security policies and procedures apply to every business area in the organization. As a result, their scope can seem to grow almost exponentially in very little time, permeating to all business functions. In assuring the success of corporate security, the CIO’s planning and organizational skills will be put to the test. As the CIO, it is your responsibility to start discussions with all business units and departments within your organization to determine how information security applies to their daily routine.

How To Start

It is critical to interview every department in order to clearly identify all the information assets that need to be protected. Information assets can be almost anything, and are not limited to electronic files. Some common examples of information assets found in almost every organization include client information, customer lists, business processes, research and development data, personnel data, strategic and operational plans, sales forecasts, network diagrams, and internal contact lists. The list of information assets specific to your organization will grow significantly with each department you interview. Remember, virtually any information within the organization needs to be protected.

Once you have compiled a first draft of the organization’s information assets, it is often beneficial to meet with the CEO and/or CFO. They are the people who are the best to work with you in reviewing the items on the list because they are responsible for company assets and financial results. They can determine, from a financial perspective, which items should be given the highest priority.

The financial perspective helps to approximate a dollar value for each of the information assets. This is particularly important when a specific policy is going to require the acquisition of new non-information assets (equipment, software, personnel) in order to enforce the policy. These new non-information assets will have a cost associated with them, and this cost should be compared against the value of the information asset being protected. This will be one of the most important factors in influencing the board to approve the necessary policy and the acquisitions

that accompany it. The board wants to see value for any money that is being spent, and obviously the cost of protection must be less than the cost of loss.

Need For Defined Roles

Finally, clearly defined roles need to be established within the information security policies. It is critical to embed the definition of the roles into the policies while they are being created.

There are some important questions that need to be answered during the development phase of the policies. Will the scope and breadth of the policies require the support of a CSO (Chief Security Officer), or will the CIO be able to handle the responsibilities in addition to those currently assigned? Who will be responsible for monitoring and investigation of breaches – will the IT staff have this responsibility assigned to them, or will additional resources be required? Who will make the decision if disciplinary action is required against an employee who breaches policies – will it be HR, or line management? Who will be responsible for developing education and awareness programs?

Be aware that the development of information security policies and procedures in-house is a very time-consuming undertaking, but there are a number of third-party software packages designed specifically to aid in this task. These packages tremendously cut costs in time by automating a large portion of the organization required to put your policies and procedures into place.

Technology is changing almost daily. Along with these changes, the information security needs of your organization will change as well. Careful planning and good organization at the executive level are the survival tools needed to make sure these needs will be well met.

*Bill C-6 can be viewed on the Government of Canada website at the following address: http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/government/C-6/C-6_4/C-6TOCE.html

Joel Brenner is a partner and executive consultant with CGI Group. Based in Toronto, he has extensive experience as an information security consultant. He can be reached at Joel.brenner@cgi.ca.