In the last Back to the Basics post, we discussed starting the writing process for security policies and procedures. Once you have the initial draft completed and upper management has signed off on it, what do you do next?

Many organizations will consider it final at that point and push it to the repository where documentation goes to be stored and largely unread. Ensuring that your employees are engaged in the process or at least interested enough to open the documents is another challenge.

Have you ever been tasked with writing a security policy and feel completely lost as to where to start?

This feeling is a normal one that we have seen time and time again in our respective consulting careers while doing security assessments. At some point, a member of the security team is tasked with writing a policy for the organization in order to fill a compliance need, but aren’t given any further guidance or framework to the content and format. Uncertain of how to fully complete the policy, one usually starts with Google looking for templates and examples of policy from other organizations they can borrow from. This results in a pasted together collage of policies and standards which may meet compliance requirements, but aren’t integrated with daily practices.

While this scenario is all too common, it doesn’t have to be. Given a little time and care, it is possible to create a set of policy and procedural documents without a lot of headache.