NBlog June 6 - layers within layers

As I mentioned on the blog yesterday, we are working our way systematically through the suite of ~70 information security policies, making sure they are all up to scratch.

For context, the suite consists of 60-odd topic-based policies, plus an overarching high-level Corporate Information Security Policy, plus a handful of ‘acceptable use policies’ which are really guidelines with a misleading name.

We have here the bare bones of a typical policy pyramid with policies supported by corporate standards, guidelines and procedures and, of course, stacks of awareness and training stuff beneath.

The 60+ topic-based policies cover a wide range of information risk and security topics such as:

• Awareness and training;
• Identification and authentication; 
• Access control; 
• IPR; 
• BYOD;
• Insider threats; 
• Whistleblowing (new!);
• IoT security;
• Assurance. 

... and so on (derived originally from the structure of BS7799 then ISO27k), all in about 3 pages each in a standard format, ending with a cross-reference table listing other relevant policies etc. – and that’s where it gets interesting. Potentially, each policy could refer to any of the others, suggesting a master 60+ x 60+ matrix with ~3,600 cells each denoting the presence or absence of a cross-reference. Oh boy! Even assuming the cross-references would all be bi-directional (which seems likely), that’s still ~1,800 cells to complete in the matrix, and then check that the appropriate references are included in each of the 60+ policies. And then maintain, month by month as the policies are systematically checked and revised.

Looking at the existing cross-references, I’ve realized that all 60+ policies need to refer to the overarching Corporate Information Security Policy and almost all refer to the policy on information risk management. Information governance, information ownership and accountability, compliance and assurance policies feature in most of them too. Several refer to polices on general/infrastructure controls such as information classification and security awareness. In other words, I think I’ve stumbled across a 3-layer structure within the policy suite, in addition to the policy pyramid above. It’s not exactly clear yet, though.