A few weeks ago, the SEC issued a Risk Alert regarding their OCIE Cybersecurity Initiative to provide more information on their review and analysis of security controls across major financial institutions. One component of this campaign is the deeper inspection of security policies and procedures. As the backbone for any security program, policies and procedures define expectations and clarify regulatory and corporate obligations and should provide clear, actionable and demonstrable requirements for the greater organization. In many cases, security issues can be traced back to a failure in implementing controls that are articulated in organizational security policies. While policies may seem as a 'passive' part of the security strategy, it is a fundamental element that has a significant impact on the success of managing security risk.
The announcement by the SEC highlights this importance of policies and the supporting procedures driven by corporate requirements. However, the policies - the documents themselves - are only Step 1 in the process. A well-constructed, organized and comprehensive set of standards and procedures provides a window into how broad and deep the organization is thinking about security. But reviewing and inspecting these policies without carrying forward into the actual implementation results is merely a type of beauty pageant. "My, what lovely policies you have." While the foundation is laid within the policies and procedures, it is the fingers on the keyboards; the defenses around the castle; the people, processes and technologies that bring those words on a page alive. Security teams need to win the beauty pageant, but once they are wearing the tiara, they must ensure they are good ambassadors of the crown.
Drive policies through implementation: Once requirements are defined within policies and standards are set, operational procedures must be reflective of the risk appetites of the organization. Procedures should be associated with the standards such that there is a clear alignment between requirements and the actual manifestation of the controls within operations.
Connect policies to risks: Another element of the SEC's announcement is a 'risk-based' approach to controls. Policies, standards and procedures should be also connected to some common, living set of risks. For security, some of these risks are pretty straightforward - unauthorized access, disclosure of data, misuse of data, availability of systems, etc. But those risks need to be put into the context of the business to then support a risk based approach - which ideally articulates the value of controls and the impact of failure of controls in business terms.
Follow through with compliance: Policies are 'made' for compliance. A policy is near useless if it doesn't articulate a requirement that can be measured, tracked or validated. Compliance should be focused not just on what the organization HAS to do (due to regulatory obligations) but also what the organization WANTS to do (to manage risk and meet business objectives.) A compliance strategy that measures and tracks controls, is driven by risk and provides the business with a visibility into the state of controls will not only meet regulatory requirements but drive better business decisions and build confidence in the organization's ability to manage risk.
The SEC's announcement validates the importance of setting policies and procedures and makes this an elementary facet of security management. Security 'traditionalists' are all trained on creating solid policies and procedures. The SEC has reinforced this foundation. The key is to not fall into the trap of winning the beauty pageant where your controls are only skin deep. Building a program that is sustainable, realistic and impactful to the organization should be the ultimate objective - not just the sash and diamond tiara of the Policy Beauty Pageant.