Policies and Procedures
Many security standards require the completion of security policies, standards, and procedures. These documents are often clumped together into the phrase “policies and procedures.”
The challenge to most organizations is where to start? Do I search the Internet and hope to come across somebody else’s policies and just change the name and make them my own? Do I just buy some random library and hope to understand it and customize as I need to, if I have time? If you do those things you might always wonder whether or not your policies are in alignment with any particular standard, such as NIST, ISO, HIPAA, PCI DSS, etc.
HALOCK has done that work already. We have reviewed the security standards that require policies and other supporting documentation and have a starting point for organizations to be able to customize to align to their organization, with guidance and support.
The HALOCK Program
WHAT ARE YOUR STANDARDS?
The HALOCK program is based on the security standard you would like your policies to aligned to the most, such as NIST 800 – 53, ISO-27002, HIPAA, PCI DSS, or others. Our extensive template libraries are ready to go, which includes all of the controls from various security standards. These templates are available for customization. Our methodology provides a streamlined process for you to have a solid policy and justification for your procedures.
Policies, Standards & Procedures Workshop: HALOCK conducts a training workshop that introduces the documentation framework being implemented in your project, what you will be adopting and managing going forward. The workshop covers the appropriate purpose, function, and content of policies, standards and procedures and the processes that HALOCK and will use to develop appropriate documentation. Each area will be reviewed with examples.
Policy Drafts: We coordinate and facilitate interview sessions with your management and key personnel who were identified in planning sessions. Policy templates are used to guide discussions for customizing requirements in policy clauses.
We develop draft information security policies for you by selecting clauses from HALOCK’s library of policies based upon your required level of compliance. These policies are reviewed as a team, where individual clauses are customized as necessary.
WHAT ARE YOUR INTERNAL STANDARDS FOR POLICIES?
Internal Standards. Once the policies are created, a longer effort is required to then create the individual internal standards that aligned to each policy. The effort to complete these internal standards that align to the policy clauses is not to be underestimated. In many cases, when establishing a policy, the organization may not have developed the details regarding the rules, tools, technology, processes, measurements, frequency or approvals associated with that policy clause. They may know what to do, they might be actually doing it, but have never documented those particular activities.
Standards could be described within a few bullet points, perhaps a table or a diagram, but it’s also possible that a full additional document needs to be created that describes all of the details of that internal standard. Examples of these are things like, data classification standard, password standard, software development lifecycle standard, configuration management standard, etc. The details of those standards are drawn out by the HALOCK consultant with the client and are documented appropriately.
WHAT PROCEDURES NEED TO BE DEVELOPED?
Procedures. After the internal standards are created, the client progresses to creating procedures as needed. These procedures are very unique to any organization and are designed to be at the appropriate level that the organization needs them to be.
WHAT TEMPLATES OR TOOLS CAN I LEVERAGE?
Template Library. You have access to “smart” policy templates where there are notes in comments that help drive the discussion for customization. They automatically incorporate the key areas that auditors seek – such as purpose, scope, dates of last edit and publication, enforcement information as well as the exception process. Our templates guide you easily through these types of prompts.
Source Standard. Traceability back to the actual standard control number is important, at least at the outset of the documentation, because let’s face it, any time that a particular security control gets put into place, people want to know where does that come from? Being able to trace a procedure all the way back up through the internal standard, and all the way back up to the policy, helps with enforcement of security controls. The ability to trace it back to an official external standard that needs to be complied with is a powerful directive for compliance to the average user.
WHO WOULD BE THE PRIMARY AUTHOR?
When you select your template library, you can now determine the level of HALOCK engagement you would like on your policy development. Depending on your time and resources, we are available based on your needs. Your options include:
- A HALOCK consultant is the primary author, where most of the work is done in meetings with you. Your participation is to be interviewed, and the HALOCK consultant manages the creation of the documentation in full.
- A HALOCK consultant is your coach, where our consultant helps guide and advise, but the client personnel would be accountable to create the documents for review by our consultant coach at periodic intervals.
- A hybrid of both, where some of the standards need to be more led by the HALOCK consultant and where others can be developed by your staff.
The decision between these three is basically a selection of hours.
HALOCK can help you develop policies and procedures that are practical, understandable and useful to information workers, technical administrators and auditors. Leveraging our own policy library and proprietary approach, we help you identify requirements; draft policies and procedures; test those procedures; and improve and finalize your documentation in a manner that is clear and actionable.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable security to support their management of risks throughout the US.