Security Policies: It’s a Dirty Job, But Somebody’s GOT to Do It!

Security policies and procedures reduce risk and are the foundation of a compliant cybersecurity program

Of the dozens of components that make up a robust, compliant cybersecurity program, security policies and procedures probably elicit the greatest aversion and suffer the most frequent procrastination.

It doesn’t seem to matter that maintaining policies and procedures is universally considered a sound business practice. Or that thorough, detailed policies and procedures are mandated by most security regulations and cybersecurity frameworks. Or that having effective, documented policies and procedures can bolster your defense after a data breach by demonstrating your organization’s commitment to sound cybersecurity.

No one in an organization gets really excited at the prospect of researching, writing, updating, or maintaining security policies and procedures. It is a thankless task for most—but a labor of love for some. An individual who can ferret out the details, spot missing steps, and write a complete policy or procedure is worth their weight in gold.

If your organization doesn’t have such talent internally, outsourcing the task to a credentialed professional or to a reputable cybersecurity consultancy is an excellent option.

The Difference Between Policy and Procedure

Policies and procedures are not the same thing, although they are very closely related.

The Webster and Oxford dictionaries and other sources offer these definitions of policy:

• Prudence or wisdom in the management of affairs;
• A definite course of action or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions;
• A set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party;
• A deliberate system of guidelines to guide decisions and achieve rational outcomes.

Policies arise from an organization’s mission, vision, values, and strategic plan.

Procedures, in turn, stem from policies. They provide instructions for implementing policies. Procedures have been defined as a series of actions conducted in a specified sequence, or the official or accepted way of doing something in order to achieve the policy.

Policies and procedures should be viewed as living, breathing documents that change with your business—reflecting its growth or expansion, the introduction of new systems and technologies, the identification of new cybersecurity threats, and changes in your industry or regulatory requirements.

As such, policies and procedures must be reviewed periodically to make sure they continue to accurately reflect these changes.

Three Good Reasons to Mind Your Ps and Ps

Organizations should develop and maintain cybersecurity and data privacy policies and procedures, or P&Ps, as a means of reducing risk for the organization. Following are three compelling reasons why all organizations need to have current, documented P&Ps. Can you think of others?

• P&Ps are excellent tools for training employees and directing their behavior along your preferred paths. Policies enable employees to understand why the company has chosen to do things a certain way. Procedures provide a level of detail that they can easily follow until they know the steps or process by heart.
• P&Ps are necessary to meet most security compliance requirements, such as those imposed by regulations from HIPAA, the Gramm-Leach-Bliley Act, and the Sarbanes-Oxley Act, as well as state-specific regulations.
• P&Ps are a critical component of cybersecurity frameworks, such as NIST and HITRUST CSF, which require current documentation of detailed security policies and procedures in order to fully implement the framework and achieve certification.

To illustrate, the following are two clear examples of policies and procedures that are required by cybersecurity regulations and frameworks.

Example of Policies and Procedures in HITRUST Framework  

Adopting the HITRUST CSF ensures compliance with a multitude of regulatory requirements. Therefore, the HITRUST Alliance requires professional testing to be conducted by authorized assessors before awarding CSF certification to an organization.

Per the established CSF assessment requirements, “All control processes, system configurations, implemented tools, written policies, and written procedures should be in operation/established for at least 90 days in order to be considered by the assessor during the validated assessment effort.” To ensure that controls are in place and operating effectively, compliance testing consists of the following validations:

• On-site walkthroughs with and interviews of personnel to verify that policies and procedures are documented and implemented;

• Inspection of written CSF-relevant policies and procedures to ensure sufficient coverage of CSF requirements;

• Observation of the performance or existence of relevant controls and control processes;

• Inspection of documentation evidencing the existence/performance of relevant controls, including inspection of documentation associated with samples;

• Performance of technical testing to validate the implementation or operation of relevant controls;

• Inspection of operational or independent measures or metrics used by the organization; and

• Inspection of evidence generated by mechanisms used by the organization to manage relevant controls.

Example of Security Policies and Procedures for HIPAA Compliance

HIPAA Security and Privacy Rules are enforced by the HHS Office for Civil Rights, which investigates instances of incomplete compliance in regulated organizations. Regardless of the primary HIPAA violation under investigation, the vast majority of OCR investigations also find related failures in policies and procedures.

To emphasize the importance of documented P&Ps among healthcare providers and their business associates, the OCR mandates that HIPAA violators take the remedial actions outlined below. (These are in addition to paying substantial monetary penalties and resolving all other violations found by the OCR.) All required remedial activities are monitored to ensure timely and complete remediation.

• Develop, maintain, and revise written policies and procedures to comply with HIPAA.
• Provide such policies and procedures to HHS within 60 days. Revise policies and procedures as recommended by HHS and submit to HHS within 30 days. Implement within 30 days of receiving approval.
• Distribute these policies and procedures to all members of the workforce and relevant business associates within 30 days of HHS approval and to new members of the workforce within 30 days of the start date.
• During distribution, obtain signed written or electronic initial compliance certification from all employees and relevant business associates stating they have read, understand, and shall abide by the policies and procedures.
• Assess, update, and revise policies and procedures at least annually. As needed, provide revised P&Ps to HHS for review and approval. Within 30 days of the effective date of any substantive revisions, distribute revised policies and procedures to all employees and relevant business associates and require new compliance certifications.
• In addition, the policies and procedures must include protocols for training all employees and business associates, and for applying appropriate sanctions against employees who fail to comply with the P&Ps.

Keeping Policies and Procedures Up-to-Date and Complete

Your organization’s policies and procedures should be reviewed at least once a year to make sure they’re still current. Remove any P&Ps that are obsolete due to system changes, retired equipment, or company reorganizations. Develop new documentation around new equipment, new departments, new software, and new practices.

To effectively meet the three primary purposes of your policies and procedures, be sure to publish or distribute them to all appropriate personnel. Because they are living, breathing documents, your P&Ps should not be hidden away or consigned to cold storage. Keep them alive, use them in training, and review and update them routinely! Security policies and procedures are essential business assets. If you treat them as such, your employees are more likely to appreciate their value as well.

As we have seen, security policies and procedures are required by cybersecurity frameworks such as HITRUST CSF and NIST, and by federal regulations such as HIPAA, GLBA, and many others. While it seems a thankless task to develop, write, test, and maintain P&Ps, this task is not a matter of choice for most organizations—it is a requirement. P&Ps are also helpful in employee training, and in demonstrating your organization’s commitment to sound cybersecurity in the event you experience a data breach or cybersecurity incident.

Policies generate procedures, which in turn provide the detailed actions required to implement policy. Policies and procedures should be reviewed annually to ensure they are still current and complete relative to new and retired systems, software, and equipment as well as significant organizational and business changes.

Learn more about how policies and procedures can benefit your organization by attending our complimentary webinar on September 28, 2023.

The National Cybersecurity Alliance celebrates cybersecurity awareness annually in October and provides numerous free resources to help organizations promote cybersecurity. Join 24By7Security and thousands of other organizations in supporting this vital initiative!