For this article I wanted to compare what SUNY Brockport uses policies for versus what an Information Security Program uses policies for. In a program, policies are used to assign responsibilities to groups, positions or offices related to an organizational requirement that supports a strategic plan objective. In the perfect world of security planning, it all fits together in a very clear set of documents which begin with a strategic plan and end with specific procedures being implemented.
Policies can be written for many different reasons and have many different purposes, however. Although the field of information security defines them very rigidly and there are clear goals, this might not be the same experience across an organization. It might be useful to start with how we use policies now and then lead into a discussion about how we could be using Information Security policies to meet regulatory requirements and reduce risk to our campus systems and sensitive information.
Currently we use policies for a wide array of purposes. Some policies are used like campus announcements by providing information such as the “Student Consumer Disclosure Requirement Policy”, or the “Student Employment Supervisor Manual Policy”. Others provide guidelines with recommendations people might want to follow such as the “Guidelines for Dealing with News Media Policy”. There are policies which outline how SUNY Brockport will comply with various laws and regulations such as the "Overtime Policy”, the “HIV and AIDS Confidentiality Policy” and the “HIPAA Policy”. Many policies specify standards for processes involving students such as the “Adding, Dropping, and Withdrawing Courses Policy”, and the “Auditing Courses at SUNY Brockport Policy”.
In comparison with policies found in an Information Security Program, Brockport uses policies for a much broader set of reasons. Essentially a campus policy at SUNY Brockport can be any statements which communicate an idea and are published in the central repository of campus policy documents. There are around 295 policies with the Division of Administration and Finance being the largest publisher. Within the Division, the Office of Human Resources seems to be the largest publisher of policies. Most of their policies are related to regulatory requirements, compliance with union agreements, SUNY mandates, etc. This makes sense because HR is very compliance driven, so they would probably desire to have many policies to communicate requirements to the campus. Also, most of what HR does impacts all employees, so it makes sense they would need to have broad policies published, as opposed to keeping everything internal to the department. The audience for those policies really is the campus and not just the HR department.
As a campus we may not feel that policies are useful after being published. Around 70% of policies have not been reviewed after publication. There is no contact information listed for 55% of policies. Surprisingly University Senate is listed as a responsible party for only 7% of campus policies. About 30% of policies were adopted over 12 years ago. This means that we have many old policies which have not been reviewed where no one has been directly assigned continuing responsibility for ensuring that the policy is enacted. Also, either shared governance is not a significant contributor to policy development, or the contribution of shared governance is not adequately captured by the current policy process.
Based on analysis of the policy set at SUNY Brockport, there may be a wide range of assumptions in the community about what a policy is, what it is for, and even questions about usefulness. Looking at shared governance indications, there may not be much interest across the community in maintaining and supporting policy structures. Although I lacked the time for a full analysis in strategic alignment and program realization, I didn’t see many themes or groupings within the policy set to indicate these tools were being used to support larger organizational goals.
Although scrutinizing 295 campus policies is not the most exciting way to spend time, it provided an important realization to me. My perception of policies as tools is heavily based on my experience, education and training as an IT and cyber security professional. Because policies are so useful in these fields, there is formal training and best practices with templates for how to build organizational policies in these areas. Like Human Resources, there are some policies that are required by various regulations for an entire organization to have. We haven’t yet experienced this in SUNY, but information security is also very compliance driven, in terms of having organization wide rules for how the University uses technology in ways that protect sensitive information from theft or unauthorized disclosure. Fortunately, the number of required organization wide Information Security policies is much less than our current HR policy set.
Information Security policies what’s the pitch? Many organizations without good policies and processes in this area have a common problem. It’s not clear who is engaged in information security work or what they are doing. It’s not clear if anyone is required to be educated or trained or what they are supposed to be trained in. People throughout the organization may not understand how to assess and manage technology and information risk. It’s difficult for people to know when an incident will happen or what to do when it does. In short, everyone does their best with what they know. When reasonable solutions exist for common problems but aren’t used, there is a potential for an institution to be considered negligent in its responsibilities despite everyone doing their best.
But what are these reasonable solutions that everyone is supposed to be using? This is why policies are needed. Policies define the basic things that everyone in the organization needs to be doing to avoid being considered negligent. It’s more than common sense or opinion because of the very complicated nature of information technology solutions and the common consensus that happens across the technology industry / government. I could tell you that Multi-Factor Authentication (MFA) is a great security solution, and it is. The real reason most organizations use it now, however, is because not doing so is considered negligent. Ten years ago, not using MFA was perfectly fine. Most organizations are not competing with the National Security Agency (NSA). They just want to be considered responsible to avoid liability and potentially for reputational or ethical reasons. Defining how to do that, assigning responsibility, keeping the policies up to date, and communicating them is difficult but important.
Can we live without information security policies? We have a policy entitled “Anti-Sweatshop Policy”. It’s quite possible we could live without this policy. We could just buy whatever we want, if the policy did not exist and maybe some other controls did not exist. But then we might be violating Federal Acquisition Regulation (FAR) and putting the University at risk for other consequences such as reputational damage. The “Anti-Sweatshop Policy” is establishing the line between what is considered reasonable by the organization and what is considered negligent or irresponsible. It is important to communicate where these lines are and discourage people from crossing them where possible.
I could go on for a long time about this topic. But I will give one more reason a policy is important. An information security policy also assigns responsibility and authority to all the various people needed to meet the requirements and to ensure that the organization meets the requirements. They do the actual work to bring the policy alive and to ensure that the organization stays on the right side of the defined line. A policy isn’t just a piece of paper. It must be a guiding document for people who are going to do things to ensure the policy objectives are met. For information security the policy objective is almost always to establish the expectations of doing what is considered reasonable and responsible at any given time.
The word “policy” at SUNY Brockport is an ambiguous term that could mean anything. It is important for us to define Information Security policies as something specific that has the clear goals of realizing an Information Security program and ideally supports an Information Security/Technology strategy. It’s a group of supporting documents intended to meet compliance requirements while also ensuring people are formally engaged in information security work and that the organization has clearly defined lines in this area. Just like not having MFA, the very act of not having policies in this area itself is becoming an indication of negligence.