Leafing through our information security policy templates this morning, I couldn't find anything specifically covering off-site working, so I knuckled down and prepared one.
It took longer than planned due to a false start: I soon realized that there are lots of potential policy matters in this area, so I refined the scope to cover just the information risk and security aspects. Following a general policy axiom, the more detailed policy statements describe 'typical examples' of the controls in three main categories (since they are likely to vary according to circumstances), plus a handful of others - about 2 sides of actual policy with the usual summary, applicability, introduction and references sections.
This afternoon, I prepared a case study for May's awareness and training module on working off-site based around an intriguing scenario. What normally happens when a home-worker (someone who always, often or occasionally 'works from home') leaves the organization? What should happen? Specifically, how should the organization deal with any work-related information/data the worker may have had at home, on portable equipment, on paper or whatever?
And what if it turns out that the worker has not, in fact, fully complied with policy and employed all the anticipated and required security controls? Tut tut!
There are information risks in this scenario that aren't explicitly covered by the new security policy, but I would argue that they are HR and IT issues that ought to be covered by HR and IT policies - governance, oversight, supervision and compliance matters for instance.
That situation is not at all unusual: in our experience, few 'incidents' or 'situations' are so simple and straightforward as to involve just one issue and one applicable policy. Usually, several rules and regs apply, hinting at the need for a comprehensive mesh of policies, contractual terms, procedures, guidelines, work instructions etc., and there's the rub.
We are infosec specialists. Our products focus on infosec. Infosec is What We Do. We gather there may be one or two other, lesser matters potentially of concern to our lovely customers (!) but there's only so much we can achieve.
Our solution to this conundrum is to refer to other types or categories of policies etc. in the reference section of our policy templates without being too specific. Other information security policies are cited more explicitly since we have the corresponding templates to hand and are familiar with what they say, having written and maintained them. In any event, customers are likely to review and customize the policy templates, adapting and merging them with other corporate policies, procedures etc. - well hopefully anyway, assuming they have the competencies and resources to do that. I suspect many don't, but at least we know the security policy templates form a reasonably coherent and consistent suite. Who knows, maybe the style and structure of our policy templates will inspire customers to review and revise their entire policy structure, bringing the whole edifice into a more professional, valid state, a valuable central element of their corporate governance arrangements.