Last month I wrote about the importance of security policies and provided some basic principles for developing solid security policies. This month, I’m going to build upon the foundation of security policies and discuss the importance of security procedures. Security procedures are detailed step by step instructions on how to implement, enable or enforce security controls as enumerated from your organization’s security policies. Security procedures should cover the multitude of hardware and software components supporting your business processes. Below are a few principles to be mindful of when drafting (or reviewing existing) security procedures.
- Security procedures build upon your organization’s security policies. Your organization’s security policies are the foundation of its security program. An important principle of security policies is that they focus on guiding behavior. Like security policies, security procedures also focus on guiding behavior. While security policies address the who, what and why, security procedures fill in the when (e.g. daily, monthly, upon a certain trigger), where and how relating to security for individuals within your organization. To help focus the security procedures within your organization, standards and baselines should also be defined. Standards and baselines are directed at the technology implemented in an organization, whereas policies and procedures focus on guiding behaviors. As depicted below, think of the relationship between policies, standards, baselines and procedures like a triangle with security policies as the base or foundation:
Here is an example of how security procedures build upon or enable security policy. Your organization has defined a policy regarding the creation of backups for critical information. The supporting security procedure should define when the backups are executed, to what location and medium, and how the individual steps to execute the backup are performed. Write a procedure for all areas where repeatable and consistent application or enforcement of controls is needed. Remember, procedures are meant to guide an individual’s behavior to obtain a certain end result.
- Review/update security policies on a regular basis. Just as security policies should be reviewed and updated on a regular basis, security procedures need the same care and feeding. For those procedures that are executed on a regular basis (e.g. daily or monthly), the review should occur as part of the execution of the procedure. Just make sure any updates are made in a timely manner. For procedures that are executed on a less frequent basis (e.g. on a specific trigger like a disaster or incident) these procedures need to be reviewed and exercised at a minimum of once per year or as part of the “post-mortem” activities of an actual disaster or incident. Technological changes in your organization will drive the need to update your procedures, and new procedures should be created as part of the overall implementation plan for the new technology.
- Procedures should contain sufficient detail to be executable. Many organizations have those one or two superstar tech geniuses who know how to do everything. While it is good to have such talent on your staff, it ultimately represents a risk to your organization if security procedures are not put in place. What would be the response if your superstar is out on vacation when his or her knowledge of how to do something is suddenly needed? Avoid such circumstances by developing security procedures to define the how, where and when things get accomplished. Beware to avoid developing procedures that rely on expert knowledge as a foundation to execute the procedure, doing so often results in gaps in the procedure. A good test for the level of detail for your procedure is to have some of your more junior staff execute the procedure. If they can do it cleanly, then there is likely sufficient detail to your procedure. If not, provide additional detail to your procedure. Also, make sure everyone who may execute the procedure has the proper access/permissions.