Governance (Understanding the Ownership, Responsibilities, and Accountabilities)
Policy, by definition, is a set of action items; governance, by definition, is the manner or action of governing. Within a corporate environment, the business owners define the objectives and policies as a means to execute and achieve these objectives. It is imperative that a governance framework is in place to ensure effective implementation and execution of policies.
What this effectively means is that the policy should be issued and authorized by the right person and at the right level within the organization. A RACI matrix should be defined, effectively identifying the ownership, responsibilities, and accountabilities for the implementation of policies. As an example, imagine the IT Director issuing an HR Policy asking all employees to start work early. The policy will not be successful because the employees will challenge the authority of the IT Director to issue an HR Policy.
Similarly, can you imagine an information security analyst issuing a policy regulating Internet usage within the organization? Will employees adhere to it? No, because the issuer does not have the required authority.
In the context of information security, the CISP should always be signed off by the CEO or the head of the organization. It indicates clear authority, management support, and commitment from the top.
Writing Effective Policies (Characteristics and Attributes of an Effective Policy Document)
What is the secret ingredient to make a policy effective? Well, honestly, there is none (see Figure 1.2 to understand how policies work).
However, there are three aspects of a policy life cycle that need to be understood to make it effective. They are strategic, tactical, and operational aspects. Let us understand the strategic aspect of policy.
Foremost, the policy owner/author must be clear on the objective that needs to be achieved with the policy document. Does the intended objective align with the business goals, vision, and mission of the organization? Does the policy contradict an existing policy document or existing legislation? It is important that the policy owner/author understands and considers regulatory and business requirements while drafting the policy. Further, the policy owner/author must assess the operational impacts of the policy. Will the changes be huge? Will they create disruption? Is the disruption justified?
What would be the financial impact of this policy? Here the policy owner/author needs to assess both the costs and the returns. The cost here refers to the financial investment required to implement the policy (e.g., cost of policy development, associated awareness costs, cost in terms of creating/amending processes, cost of systems, if any, that may be
Understanding how policies work.
required to implement the policy, etc.). Returns here refer to the financial gain the organization would make or save due to this new policy (e.g., possible fines that you would avoid, gains due to process optimization, enhanced sales due to better customer confidence, etc.).
The policy owner/author must also understand and review the collateral damage that could be caused due to the policy. For example, imagine an organization that decided to end its "Work from Home" initiative to mitigate the risks associated with remote access and the costs associated with mitigating those risks. This policy would have an impact on the female workforce (especially young mothers) who may be using the work from home option; similarly this may also impact workforce who may be living far from the office, as this will entail spending long hours commuting to work. There is a possibility that such employees may leave the organization. Some of the other things that need to be considered include the organization's work environment and culture. So briefly, these cover the strategic aspects of a policy life cycle. This aspect should be dealt with as part of the policy needs assessment. Now, let us delve into the tactical aspect.
This involves the actual drafting of the policy document. It is imperative that the policy owner/author effectively translates the organization's strategic considerations into the policy document. The key importance is to ensure that the document is clear, concise, and commonsensical.
Some effective "dos and don'ts" while writing a policy are:
- 1. The language should be simple. Avoid using legal language.
- 2. The sentences should be short.
- 3. Keep the document focused. Do not try to cover everything under the sky in a single document.
- 4. Do not create ambiguity in the document as it may confuse the readers.
- 5. The policy documents should be concise, not more than a few pages. Standards, procedures, and guidelines may be detailed and long as necessary (see Figure 1.3 for
Understand the contents of various policy documents.
additional clarity on what is expected in each of the documents (Policy vs Standard vs Control vs Procedure, 2020)).
6. Clearly identify the objective of the policy, define the scope and audience for the document, articulate the clauses in lucid language, define the KPIs to monitor and evaluate the policy, define how the policy will be implemented (roles and responsibilities), and analyze the enforcement of the plan (how will it be enforced and the consequences for not abiding by or breaching the policy [e.g., fines, suspension, termination, etc.]).
Last, let us consider the operational aspects of the policy.
Once the policy is drafted, the most important step is to get the document empowered. This is achieved by ensuring that the document is signed off by the head of the organization, or the highest authority accountable for the particular policy.
Imagine a scenario where there is an organization X whose CISP is signed by the CIO and another organization Y whose CISP is signed by the CEO. It goes without saying that the CISP signed by the CEO would have greater acceptance than that signed by the CIO. It will also demonstrate management support at the highest level. Once this is achieved, the policy owner/author needs to work on creating awareness and acceptance of the policy. A communication plan needs to be developed to ensure that the message reaches the intended audience. This can be done through awareness sessions, emails, posters, one to one meetings, and so on. It is necessary that buy-in for the policy is achieved across the organization; only then will the policy be effectively adopted within the organization.
Along with the awareness, the policy owner/author must work on the effective implementation of the policy. Depending on the policy, this may entail new or amended processes, awareness/training of employees, and technology (hardware/software/ infrastructure) to implement and achieve the desired objectives.
Lastly, the policy owner/author needs to put in place an effective mechanism to monitor the policy. The identified KPIs should be monitored over a period to verify if the policy is achieving the desired outcomes. There is also a need to monitor any harmful collateral effects that were not envisaged in the beginning. The feedback from this activity will go back into the review cycle and will determine if the policy needs to be tweaked or amended (see Figure 1.2 to understand how policies work).
Policy Life Cycle (Policy from Cradle to Grave)
Let us now look into the policy life cycle and understand how it works. Broadly, there are five stages in a policy's life cycle, as shown in Figure 1.4.
The development stage of policy consists of multiple sub-steps. Contrary to what many might think, this stage is much more than writing a policy document itself. The most important thing here is not writing the policy itself, but doing a needs assessment.
184.108.40.206 Needs Assessment
It is important to answer the question, "Why do we need this policy?" There could be various reasons for that, for example, the business vision, mission, or objectives have changed; the business has decided to get into a new line of business; there is a change or new direction from the regulators; the business needs to optimize the current processes or operations; or there is a regulatory requirement. The answer to this question will help you understand the objectives of the policy.
220.127.116.11 Policy Drafting
Having clearly understood the objectives and the needs of the business, the next step is to draft the policy document. Depending on the document (whether it is a policy, procedure, and guidelines), you will choose a drafting language. Policy documents are crisp and to the point (generally a two- to three-page document). Standards and procedures are more detailed documents and delve into additional details (technical, operational aspects) to ensure compliance with a policy. These are essentially best practices for achieving specific
Policy life cycle.
tasks needed to accomplish a policy objective. Guidelines are detailed documents that will provide comprehensive help to the users on how to implement, operate, or execute a particular task. It may provide guidance on the usage of tools that will facilitate the implementation, operation, or execution of a particular task. This may be a step-by-step approach as well. In some cases, the complex process may be broken down into specific tasks, and the users may be provided with WI on how to execute the specific tasks.
18.104.22.168 Stakeholder Review
Once the document draft is ready, the stakeholders should review the document to ensure its efficacy. Stakeholders may provide feedback on the writing style (typos, grammar, language, tone, etc.), policy clauses (whether the policy makes sense to their business, whether there are operational limitations, auditability challenges, etc.), or any other feedback as deemed applicable. It is essential that any feedback received be addressed in a professional manner. The policy owner/author should either accept the feedback or rationalize it with the stakeholders. This would entail either making the stakeholder understand the policy owner's/author's stance or coming to an agreement by making some modifications to the existing clauses.
22.214.171.124 Identify Key Success Factors and Key Performance Indicators
Before the policy is approved, it is equally important to identify and agree with the management on the key success factors of the policy. The key success factors will be measured or tracked by key performance indicators. Using these indicators, the policy owner/author and the management can, in a rational way, measure the success or failure of policy implementation.
126.96.36.199 Policy Approval
This is the last step in this phase of the policy life cycle and involves getting the policy document vetted and signed off at the appropriate level within the organization hierarchy. Once signed off, the document is ready to be published.