You started with an Information Security Policy that covered the basics. Then one day an auditor walked in and asked to see your Data Destruction Policy, so you wrote one. In the next exam, regulators said you should have a Vulnerability Management Policy, so you again created a new policy using a template you found on the Internet. Over the years you and others added more policies as they were requested, and now you have a formidable mountain of policies that need to be reviewed and approved each year.
When you review your policies, you start to notice that the policies are not consistent. The person who wrote the Data Classification Policy did not realize that there was already a Data Destruction Policy, so they added a data destruction section to the new policy that contradicted the existing policy.
The Remote Access Policy states that the IT Manager needs to approve VPN access, but a VPN Policy says the CEO needs to approve this access. The Acceptable Use Policy says that occasional personal use of the Internet is allowed, but the Information Security Policy says that personal use is forbidden. It is a mess that I call the policy labyrinth, and we see it all the time.
Our advice to institutions that find themselves stuck in a policy labyrinth is that it is easier to start over rather than try to fix what you have. Create a single Information Security Program that is made up of sections that cover what you used to have as separate policies.
Taking this approach allows you to easily cross-reference policies where they interact with one another and avoids policy repetition and contradiction between policies. Instead of the Acceptable Use Policy being a separate document, it simply becomes a section of the Information Security Program. This approach also provides a structure to your policies that you can then extend to any procedures or standards that you write, making your entire security program easy to understand and follow.
If you find yourself in a policy labyrinth, we're here to help! We start with an Information Security Policy template that is built straight from FFIEC guidance, and we work with your institution to customize the included policies to meet your needs.
To get out of your policy labyrinth and gain peace of mind, email us at support@bedelsecurity.com.
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Is it Time to Give Your Information Security Policies a Refresh?https://www.bedelsecurity.com/blog/is-it-time-to-give-your-information-security-policies-a-refresh
Implement Practical Policies and Processes to Improve Your Cyber Security
https://www.bedelsecurity.com/blog/implement-practical-processes-policies-improve-security
How to Create a Data Classification Policy
https://www.bedelsecurity.com/blog/how-to-create-a-data-classification-policy