Even pure technologists have to write security policies in an enterprise environment. As a subject matter on something, technology experts might be asked to contribute to the Software Development or the Internet Acceptable Use policies.
However this leads to policies that nobody reads. Copy-and-paste texts, dry language and 60-page long documents. Rings a bell, anyone?
In the following post I reveal a few tricks up my sleeves for writing simple, crystal-clear and straightforward security policies.
Write Clearly in Plain English
Your audience might have a diverse cultural or educational background. They might speak English as a second language. Some of them may even use Google Translate to read them.
- Know your audience
- Construct simple and compact sentences
- Avoid being too formal
- Keep jargon, legal lingo and slang to a minimum
- Abbreviations should refer to the original word or phrase (in a footnote or Terms of Glossary)
- Get to the point and do not over-explain anything
Keep Policies Simple Stupid
- Do not regulate two different areas in a single policy (e.g. Information Classification Policy combined with Media Disposal Policy)
- Do not regulate areas outside of your boundaries (e.g. to prevent business fraud)
- Be visual (e.g. use RACI charts for defining roles and responsibilities)
- Structure the text with paragraphs
- Paragraphs should have relevant titles
- Be consistent (e.g. do not randomly refer to employees as users, employees and workers, just pick one)
Tailor To Your Organisation
Remember, Policies are meant to support the business activities that makes the shareholders happy.
- Originate policies from the Security and/or Business Strategy
- Never use policy templates, they regulate a different business environment from yours
- Write the policies that your organisation actually needs (for instance do not publish a Cloud Policy if you only have datacenters)
- If you end up with more than 12 policies, your policy structure is wrong
Avoid Like the Plague
- Technology should be regulated in standards, procedures and guidelines
- Broken cross-references to policies and other documents
- 3 page long cover pages
- Documents longer than 8-10 pages
- Comic Sans MS
Put the Sexy Back into Security
- Choose a policy framework (ISO 27002, COBIT) or brew your own
- Dump the boring Word format for storing policies as Wiki pages (e.g. Confluence)
- Keep previous releases of the policy available
- Do version tracking. Textual changes between policy releases should be apparent.
- Finally make those policies accessible! Instead of http://a03srv21.prod.intranet.com/pages/TripeReceipes/SecurityPolicies.aspx?iamanidiot=yes register a custom domain such as https://security.intranet.com/ and store everything there
- Plain English Campaign
- GIAC Policy Writing Guide
- SANS Policy Writing Prep Guide
- Tips for writing easy-to-understand security policies (TechRepublic)