- Data classification: What is sensitive and which are the sensitivity "levels".
- Data retention and handling: Where the information should be stored depending on how sensible it is, how much time it should be stored, and how it should be deleted or disposed.
- Communications: Which are the acceptable communication channels and which ones to avoid, minimum requirements of communication channels to transmit sensitive data.
- Backup: What information should be backed up, from which devices, and in which conditions.
- Institutional account management: Shared credential management, the privacy of contact information, engage with links and files received through public channels, etc.
- Physical office management: Access, keys, cameras, alarms, visit control, etc.
- Password, authentication, and account management: Secure password criteria, multi-factor authentication for specific accounts, password managers, etc.
- Device use and management: Device encryption, places where sensitive information can be stored, removable media management, screen lock, device passwords, shared use, etc.
- Secure web browsing: VPN use, restricted websites, interaction with suspicious links and files, etc.
- The policies are applicable to the current organizational processes? If not, the staff is trying to adapt them informally to the current situation or they just disregard the policies entirely?
- How are the policies stored? Does everyone has access to them?
- How frequently they are updated? There are people responsible for revision?
- There are ways that policy compliance can be checked? The organization is checking them?
Ask for documentation - this may come out of Capacity Assessment work, first contacts with the organization, or other activities.
Review documentation and compare with existing baselines, and against identified vulnerabilities - do these policies help mitigate risks? (see references).
Check the areas covered by the policies, some examples are:
Make sure to take notes on the following operative aspects of the policies as well:
With all this input, propose a map like the one in the "Identifying Informal Agreements" activity.
There must be a good understanding of the organizational capacity and commitment to implementing and maintaining formal security policies. Based on this assessment, consider beginning with more informal agreements among staff which still help centralize their approach to security and improve their preventative measures and ability to respond to incidents that are easy and effective to adopt. Encourage a "testing" phase of these practices for the organization to then begin formalizing the ones which work and test new approaches for any which did not continue.