The necessary evils: Policies, Processes and Procedures

Published: 2010-01-23
Last Updated: 2010-01-24 01:37:42 UTC
by Lorna Hutcheson (Version: 1)
1 comment(s)

This isn't a glamorous topic and quite frankly it's not my favorite one to talk about or to work on.  I'd much rather be off in a corner looking at malware or analyzing some packets.  However, it is one that I respect and understand the importance of it.  It is one that you can't afford to overlook.  I have found time and time again that having good policies, processes and procedures keep you out of trouble.  Before we start, let's make sure that everyone understands the difference.  I have seen time and time again where the three get mixed up and procedures end up in the policy etc.  They each serve different purposes.   A policy is high level and lays out short and concise what is expected.  It doesn't tell you how to do it.  The processes lay out the flow of information that it will take to enforce the policy.  The procedures are what lays out the exact "how" you are going to do something.  For example, the policy states that you will have an incident handling team.  The process lays out the different areas, people involved and the flows of information that have to be considered in order to have a good structure to support an incident handling team.  A procedure then takes specific areas of the process and defines the exact "how" to do it.

How can this keep you out of trouble you might ask?   Well, let's say someone didn't like the fact they got caught surfing porn at work.  In fact, they were so upset that they filed an HR complaint and said that you were targeting them because you didn't like them.  If things were done right, you took your company's Internet usage policy which states the acceptable behavior of the employees.  (Surfing porn while at work was forbidden in the policy.)  That Internet usage policy was broken down into a process(s) for how to enforce the policy.  Some of the policy would be enforced on the firewalls and some on the web proxy.  The IDS had rules created that audited the policy and looked for traffic containing porn.  Each of these three areas were further broken down into procedures for how the devices would be configured, how notification would occur and who to report things to etc.  All of the processes and procedures were sent to management for review, which they approved.  The disgruntled employee does not have a leg to stand.  You can show you were following the approved processes and procedures that applies to looking at all network traffic and shows it does not target a specific individual.  Otherwise, you have to prove that you were not targeting them and won't have the benefit of showing you were following approved processes and procedures.

Another thing, whether you are on the incident handling team, a security analyst in the SOC or a user on the floor, having processes and procedures is critical to protecting your organization's information.  You can't afford to have a major event and realize you don't know what to do.  When your network is under a heavy DoS attack is not the time to find out that your procedures didn't get updated for the new equipment that you now have in your infrastructure.  If you're handling an incident and management is going crazy and yelling at everyone, that is not the time to find out you don't have a procedure written to do a dd of the hard drive.  Everyone just always knew how to do it and now you have the newbie with you who doesn't know how to do it.  It may not even be that they are not written.  Stress can make you forget things.  Mistakes are less likely to be made if you follow a laid out process and procedure when things get hectic and people are screaming.

What ever the case, having good policies, processes and procedures will only make you and your organization better.  So, since its the beginning of a new year, take some time and update your policies and look at your processes and procedures.  Have they changed?  Do they need updating?  Are they even helpful?  Writing something for the sake of saying you have it is a waste of time.  Run some crew drills, do a dry run, what ever it takes, it pays up front to make sure you're are covered!

1 comment(s)

Comments

This is a topic I've wanted to write about for a long time. We use to perform a quick engagement called P&P for Policy and Procedures review. Then of course, the business process guys got involved and we talked about the difference between Procedures and Processes. I then pointed out that no matter what all these written formalized documents stated, what you were left with was just the practices that were in place, and those practices may or may not bear any resemblance to the Policies, Procedures, or Processes. Finally, the last "P" which overrides everything else is Politics! So, our formal engagement went from P&P to the 5 "P"s. :)

Diary Archives