“Cybersecurity policies are exciting!”

Says almost no one ever.

While they might seem boring and burdensome, they are in fact a cornerstone of an effective security and compliance program. And they require continuous attention, maintenance, and enforcement if they are to remain effective. Previously, we have written a lot about how to:

• Establish a company-wide information security policy
• Manage vendor risk with policies
• Automate generation with our GPT-powered policy builder

In this post, however, we’ll look at higher-level best practices and explore how to manage a complicated patchwork of these documents.

There are several steps you can take to make the process substantially easier, starting with:

Assigning cybersecurity policy ownership

One of the most common policy challenges is identifying a single owner for each. We have often seen policies that assign responsibility or ownership to a broad group of people that is not always well-defined, such as: the executive leader, senior management, and the risk committee. 

Even if you do identify a clear makeup for these groups, a single person should have a tie-breaking vote in the end. While oftentimes many stakeholders – including cybersecurity, legal, IT, engineering, and operations teams – will contribute to a policy, having a single accountable individual is crucial. This person should be a business leader responsible for overall accomplishment of the organization’s or business unit’s mission.

And will be best equipped to balance the various risks the team faces.

Finally, if there is ever an incidence of non-compliance with a policy, you will be able to address it with a single individual rather than attempting to hold a disparate group accountable.

Enforcing cybersecurity policies consistently and effectively

While policies might seem perfectly reasonable on paper, ensuring adherence to them in the real world can often be challenging. People are imperfect, inconsistent, and will make mistakes. Thus, having a way to automate policy enforcement whenever possible is a best practice.

Some examples include:

• Multi-factor authentication (MFA). If your policies mandate the use of MFA whenever it is available (which we strongly recommend!), your technical infrastructure should implement this requirement for you whenever possible. Leading identity and access management tools and cloud providers allow you to force the configuration of MFA when users first log in. This can greatly reduce the burden of following up with individuals to implement this important control.

• Account deactivation. Removing permissions and deleting employee accounts at the end of their tenure is another key compliance practice often required by cybersecurity policies. “Orphaned” accounts are a potential vector for cyber criminals or even former employees themselves to enter your networks. Thus, automatically integrating permission and account cleanup with human resources off-boarding processes can greatly increase the success of these efforts.

• Vulnerability management. Because organizations often face a wide array of known security flaws in their networks, manually remediating each one can often be a difficult and overwhelming process. Automatically pushing software updates to low-risk devices, such as individual endpoints, can greatly reduce the need to continuously triage and manually patch hosts. Be aware, however, that such automated approaches can cause outages if not handled with the utmost care.

Weaving together various compliance frameworks

For organizations that need to adhere to various standards, regulations, and other requirements, having a set of policies that allows doing so seamlessly can be a huge help. Common techniques involve:

• Ensuring individual policies cover the required actions for all frameworks. If you are trying to achieve ISO 27001 compliance while also undergoing a SOC 2 audit, for example, you will find minor differences between the standards. Creating a single access management, auditing, or vulnerability management policy that covers both sets of requirements, rather than two separate ones, is a best practice.

• Creating a compliance framework-specific “view” or “index” of all of your policies. While ensuring policies adhere to all frameworks as much as possible, sometimes you will need to custom-develop ones for a specific standard. To help manage the complexity, having a purpose-built platform to organize them can be incredibly helpful. At a minimum, having a single page for each framework that hyperlinks to the relevant policies can greatly streamline audits and other reviews.

Maintaining cybersecurity policies over time

Like anything in cybersecurity, you are never “done” with policy development, maintenance, and management. The relevant owner should establish a regular cadence – annually at a minimum – to trigger a thorough review of each policy. Other conditions – such as multiple instances of non-compliance – should also trigger these types of reviews.

A policy review should generally cover:

By regularly reviewing your cybersecurity policies – and soliciting the feedback of key stakeholders – you can help to prevent them from becoming “stale” and losing relevance and effectiveness.

Continuously training your team

Unless enforcement of them is 100% automated – which is very difficult to achieve – your employees will need to be aware of your policies in order to comply with them. This means regularly training them on your policies, especially any changes.

While traditionally this takes the form of an annual refresher with the security team presenting a slide deck, there are alternative methods that can achieve better results, such as:

• Administering required short quizzes on your policies. To add an incentive to those taking them, you can reduce the frequency of these quizzes the higher the employee scores.
• Asking employees to summarize policies on their own and present them in their own words to their peers. You’ll want to review these summaries for accuracy first, but this technique can improve buy-in.
• Using different forms of media such as video to help liven up the presentation and capture attention.

However you do it, make sure to capture evidence of the training for your next audit.

Conclusion

While often one of the less glamorous aspects of maintaining a well-functioning cybersecurity program, policy management is an art and science of its own. By assigning ownership, automating implementation, weaving together compliance requirements, continually revisiting them, and regularly training your team, you can make security policies an effective foundation for your program.

Doing all of this with generic tools like spreadsheets, however, is basically impossible to accomplish. So if you want to learn how Scrut Automation can supercharge your policy management efforts, please reach out!