Implementation

Once the policy document is published, the policy owner/author should ensure the implementation of the policy. This involves a number of steps.

1.6.2.1 Communication and Awareness

Communication and awareness is a key step in making a policy implementation successful. The policy owner/author should begin by drafting a comprehensive communication and awareness plan for the policy. The plan should assess the objectives that need to be achieved by the policy, understand the audience and the business it affects, and lastly, the time frames (if any) for the policy objective to be achieved.

The plan should, among other things, draw a timeline for its activities, identify the media to be used, agree on the tone of the message, and the message to be delivered. It should further devise a mechanism to record or assess the effectiveness of the message delivered.

Creating awareness is key to policy implementation, because unless a policy is communicated and people are made aware of the policy and the potential change it may introduce in their daily life or the way they conduct business, and how it will benefit them and/or the business, there may be a natural resistance, as humans instinctively resist change.

1.6.2.2 Create/Update Processes

The next step in implementation is to make changes in your business processes to incorporate the essence of the new policy. This may necessitate creating new processes or updating existing processes to be in compliance with the new policy and be aligned to achieve the desired objectives.

For example, now that S3 Inc. has decided to implement an ISMS, one of the first things Mr. ISM has done is to create an Information Security Steering Committee. This effectively is a new process, wherein all enterprise information security risks will have to be validated by this committee; all new projects, any new line of business that is started, or any new service/product that is launched will have to be validated by the committee. At the same time, it may impact certain existing processes. For example, going forward, any changes, updates, patches, and/or product updates applied by the information technology team will have to be assessed for cyber risks and be vetted by the change management committee or change advisory board.

1.6.2.3 Provide Tools Where Possible

Technology can be a good friend. The policy owner/author should look at all available opportunities to automate the implementation of the policies and use technology effectively to deploy and monitor the performance of the policies. Users should be provided with tools that can help them adopt and implement the policy.

For example, the new security policy mandates users to report security incidents to the security team. In order to help the users comply with the policy, the policy owner/author could create an online form on the intranet or a ready-made email template that users can use to submit incidents to a dedicated mailbox. This will help users in providing all relevant information needed by the security team, as well as ensuring that records collected by the security team are uniform and leave no space for ambiguities.

Enforcement

This is to make sure that the policy is being followed by the intended audience, which could be the internal employees, outsourced staff, vendors, etc. There are two key steps within this phase: monitoring compliance, and influencing the user's behavior using the carrot-and-stick approach.

1.6.3.1 Monitoring Compliance

During the development phase, there was a discussion about identifying success factors and key performance indicators to evaluate the success of the policy. Similarly, during the implementation phase, there was a discussion about creating/amending processes as well as using technology to ensure compliance with the policy.

In the enforcement phase, the policy owner/author needs to follow up through the use of technology and/or records created as part of the updated processes to ensure that the new policy is being complied with.

For example, the new access policy says that vendors should be escorted and be supervised in the data center. The policy owner/author may verify this by checking the access logbook of the data center, or the access control records of data center; these may be cross verified with CCTV logs.

1.6.3.2 Influencing User's Behavior (The Carrot-and-Stick Approach)

Humans, by nature, resist change, and it requires a certain amount of conditioning of the human mind before they accept it. This conditioning in part can be achieved through communication and awareness, where the policy owner/author talks about the benefits of the policy and how it could help both the individuals and the organization. The policy owner/ author can also subtly convey the message that non-compliance with the policy could lead to monetary losses (fines for individuals or organizations) and/or punishments (loss of jobs or jail sentences).

The human mind also has a rebel streak, and it is important that the message communicated is reinforced from time to time. For example, if the policy subjects observe or believe that non-compliance with the policy does not really lead to any personal fines or punishments or accountabilities, compliance will deteriorate over a period of time. Hence, it is necessary that the human conditioning is maintained over the period of the policy life cycle. It is usually a dual approach, where good actions are rewarded (carrot), and bad actions are punished through disciplinary actions (sticks).

During the initial period, especially in the case of new policies, it may be better to devise a rewards program that effectively motivates the subjects to adhere and comply with the policies. Over a period of time, this could become part of the overall employee appraisal program, which should evaluate an individual's compliance with policies.

Assess, Review, and Update

This is an important phase in the life cycle of any policy. A policy is not “God's word" and is not cast in iron either. The dynamics around the policy can change, and at times, may change rapidly. It is imperative that the policy owner/author has a grip on the policy and is able to steer it, amend it, and keep it relevant in the changing dynamics. Some of the factors that may impact the relevance of the policy include a change in business objectives, change in management, or change in the regulatory regime. The policy owner/ author will have to ensure that the policy is adapted to stay in alignment with these changes. This may not be a fairly regular scenario, but one that involves ensuring that within the established context, the policy is delivering as expected.

Let us consider some scenarios and review them in the context we are discussing now.

  • 1. One example is a Remote Access Policy and how it impacts employees who live far away and young mothers. This is an example of the collateral impacts of the policy; the policy owner/author should review' the benefits accrued to the organization vis- a-vis this policy and the loss of its staff.
  • 2. Another example is about the data center access, where there are indications that IT staff are not adhering to the "escort vendors" policy because the CCTV footage does not tally w'ith your access control records. This is a pure breach, and the policy owmer/ author should do a root cause analysis for this behavior. Maybe the IT staff are under pressure, and they cannot spare time to act as escorts to the vendor. This could point to operational challenges in the work environment.

3. Yet another example could be the rise in the number of security incidents reported. This could point to the success of a policy asking employees to report security incidents and does not necessarily mean that the security position of the organization has deteriorated. Every metric needs to be carefully evaluated. A number going high or going low is an indication of neither policy success nor policy failure. So, within the same example, typically the number of incidents would increase in the initial days as users start reporting suspicious activities as incidents. Over a period of time, however, this will plateau as users will improve their skills and ability to identify suspicious activities. In the long run, maybe, as overall organization maturity improves, the technology improves, and the information security team improves its skills, eventually the reported incidents may decrease.

The policy owner/author should ensure that they identify the right metrics for evaluating the success of the policies and also evaluate if there are any collateral impacts that the policy introduces. Based on this feedback, the policy should be tuned from time to time to ensure that the desired objective is achieved.

End of Life

For various reasons, the organization may reach a point when a particular policy may no longer be needed. The reason could either be a change in business objectives, change in management, or change in the regulatory regime, as well as changes in technologies or changes in business processes.

Once the policy owner/author, in agreement with the management, reaches the conclusion that a policy is no longer needed, it is best advised that such a policy is formally revoked through proper notification. The policy owner/author should assess and advise the management, the policy subjects, and the stakeholders on any legal and regulatory requirements related to records pertaining to the old policy.

The policy subjects and the stakeholders should receive suitable communications advising them on the date when the policy ceases to be in force, if the policy will be superseded by any other policy, advice on maintaining documentation and records related to the old policy, and any other information that may be necessary.

 
Source
< Prev   CONTENTS   Source   Next >