As you are reviewing your client’s cyber stacks for 2023, this is the perfect time to make sure their security policies are up to date and make sense giving the changing landscape. Not only increasing threats and changing threat sources, but also changing processes and people within organizations you support.
Note: if you are interested in seeing how your proposed 2023 cyber stack stacks up against current threats, consider a free MSP-focused cyber stack evaluation.
Before I dive in, I want to get through some basics. What is a policy versus a procedure?
I’ve seen all sorts of layouts for P and P, and many incorporate policies and procedures into one document. Why have two separate documents?
Policies—are meant to state what your organization (or client organization) expects from its teams (the WHAT).
Procedures—detail exactly how your organization (or client organization) gets to meet that expectation (the HOW).
Security policies are essentially strategies on what you are protecting and maintaining on a network. By having a well-written policy in place that is up to date, you are focused on getting your team and your client’s team able to react and respond as quickly as possible with the best path (your procedure).
What makes up a good policy?
Since policies need to clearly define and lay out WHAT is being done, you will want to make sure they are simple and clear for the entire organization to understand. Even though your team might be some of the smartest techs in your area, you probably want to boil down a lot of information your team might appreciate in form that the lowest denominator at your client could understand.
That means:
Keep them easy—Writing clear, simple language. Keep sentences short. Keep vocabulary simple. Err on easy to understand rather than the most thorough. You need to make your policies as memorable and accessible as possible to rally the team behind them. No glazed over eyes here!
Include a statement—include a policy statement that addresses WHY the policy is in place. Also identify the rule your team is following. It is very easy to get wordy and complicated in these statements. Take a step back and try to communicate its purpose in a way that your grandmother would understand.
Get them in front of everyone—the more your team understands policies and why they are in place, the more likely you will have a team committed to following them.
Identify experts—having people that are your resource in charge of a policy is critical. Get someone on your client’s team (and your own) to own policies and find ways to make them more impactful. These people will be go-to’s to make policies better as you evolve your security.
Keep them consistent—make sure you have a simple and consistent way of presenting policies so that everyone is on the same page. We have a template we present for vCSOs, but just making sure that you have consistency will make all the difference.
Loose the acronyms— if you are used to speaking in tech terms or acronyms, a policy is not the place for it. Get everyone on the same page by omitting special coded language that only some may understand.
Make them visually readable—keep a generous amount of white space. Structure your presentation so a user can find specific points easily. Make sure the layout is consistent enough to link to procedures in an easy to find way.
Keep it flexible—as you continue your policy writing journey be sure to keep your document modular. You likely will only have to rewrite very specific points in small sections of the document. If you can modularize your policies as much as possible and have those modules labeled with headers, you will make it an extremely easy process to maintain in the future.
Get your policies owned—every single policy needs an owner. That means someone accountable to making sure the policy is reviewed, updated and disseminated to the team.
We will be taking a deep dive into a policy creation and review process that any vCSO will certainly need in their tool chest when engaging with their clients on security policies and procedures. The Galactic vCSO methodology focuses on making policy review simple and easy to use with leaders in an organization. For more information, see www.galacticscan.com/vcso.
