Organizational Policy Review
Summary
This methodology explores existing organizational practices, informal agreements, and policies around managing information security and responding to threats. It also seeks to reveal presumptions made within the organization which are neither shared (informal or no) nor codified in policies.
Purpose
Many smaller organizations do not have formal policies around information security. This is not inherently a good or bad thing, as in their place are often informal agreements and practices. The goal of this component is to reveal any presumptions that are not shared, and help set more formalized agreements across the organization, and to cross-verify these policies, practices, guidelines, and informal agreements with what is actually taking place (generally using activities from data assessment and device assessment methodologies).
- Identify what (if any) baseline policies or informal agreements exist to respond to common information security and business continuity challenges
- Clarify any presumptions being made but not effectively shared
- List of existing agreements and gaps?
- Resources to formalize/expand agreements to policies
- Onboarding checklist (entry/exit policies?)
Guiding Questions
- Are there documented policies or practices, including any employee onboarding guidance?
- What is the level of formality of the security practices in place? are verbal conventions, written documents or something in between?
- What is the understanding by the management and/or staff on common security practices?
- Are there presumptions being made by some staff which are not shared?
- How are any of these implemented / required / verified within existing organizational practice?
- Password expectations (password management, complexity, requirements
- entry/exit policies and account management
- information classification that limits access (e.g. who has access to financial data? partner data?)
- Backups
- Acceptable use policies (what can and cannot staff do with their work devices)
- Travel policies (VPN usage, etc.)
Specific aspects to explore are:
Operational Security
_
Preparation
If (through interviews or even the audit agreement process); you have received copies of policies, a thorough review of the written policies is required to assess if they are being followed, enforced, or have changed since being formalized.
Outputs
- List of existing agreements and policies and their gaps
- Resources to formalize/expand agreements to policies
- Providing initial support to help the organization decide on and agree to baseline guidance around critical digital security controls, such as an Onboarding checklist, entry/exit policies, etc
References
- Policy Templates Organizational Security Policies - Template (AccessNow; Available in English and Spanish)
- Policy Templates Frontline Policies (Open Briefing, Available in English and Spanish). See also the associated Knowledge Base with directions on how to use the templates.
- Policy Templates and Process SAFE AND DOCUMENTED FOR ACTIVISM (English, Spanish; focused on activist organizations)
- Policy Templates Information Security Policy Templates (SANS)
- Meta-Framework Cybersecurity Framework (NIST)
- Guide: "Mitigation Recommendation" (NIST SP 800-115)
- Overview: "How Is Risk Managed?" (An Introduction to Information System Risk Management)
- Book: "Digging Deeper into Mitigations - p. 130" (Threat Modeling - Adam Shostack)shostack
Organizational Policies:
Recommendation Development:
Activities
Identifying Informal Agreements_
The activity aims to assess which kind of informal agreements regarding best practices and security directives are formulated, accessed…Security policy review_
The activity aims to understand the organization's internal security policy context, looking for existing policies, understanding how they…Interviews_
The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity. Q&A sessions are…A Day in the Life_
The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software…