Checklist Policy Development Process
April 8, 2024This checklist is intended to provide a quick overview of the major steps associated with the development, refinement, and approval of an internal information security policy document.
A more detailed description of the necessary development, refinement, and approval steps can be found in the section of this book entitled “Instructions.” Similarly, a list of steps to take after a policy document has been produced is found in an appendix entitled “Suggested Next Steps Now That Policies Are Written.” Note that many of the following steps can be pursued simultaneously or in an order different than the order shown below.
- Perform a risk assessment or EDP audit to determine your organization’s unique information security needs; these must be addressed in a policy document
- Clarify what the word “policy” means within your organization so that you are not preparing a “standard,” a “procedure,” or some other related material
- Make sure that roles and responsibilities related to information security are clarified (including responsibility for issuing and maintaining policies)
- Convince management that it is advisable to have documented information security policies
- Identify the top management staff who will be approving the final information security document
- Collect and read all existing internal information security awareness material and make a list of the bottom-line messages contained therein
- Conduct a brief internal survey to gather ideas that stakeholders believe should be included in a new or updated information security policy
- Examine other policies issued by your organization, such as those from the Human Resources Department, to identify prevailing format, style, tone, length, and cross-references, so what you produce fits with what came before
- Identify the audience(s) to receive information security policy materials and determine whether they will each get their own document
- Determine the extent to which the audience(s) is literate, computer knowledgeable, and receptive to security messages (this includes understanding the corporate culture surrounding information security)
- Decide whether some other awareness efforts must take place before information security policies are issued (for example, one effort might show that information itself has become a critical factor of production)
- Using ideas from the risk assessment, prepare a list of absolutely essential bottom-line policy messages that must be communicated (consult the files POLICY1, POLICY2, and POLICY3, as well the as already-written policies at the end of this book called sample policies)
- If there is more than one audience, match-up the audiences with the bottom-line messages to be communicated via a coverage matrix (this process is described in the section called instructions)
- Determine how the policy material will be disseminated (an intranet site is recommended, but the appendix dealing with awareness methods provides many other alternatives), noting the constraints and implications of each medium of communication
- Review the compliance checking process, disciplinary process, and enforcement process to make sure that they all can work smoothly with the new policy document
- Determine whether the number of messages is just too large to be handled all at one time, and if so, identify different categories of material that will be issued at different times
- Run the outline of topics to be included in the first document by several stakeholders (an information security management committee is the ideal vehicle, if your organization has one)
- Based on comments from the stakeholders, revise the initial outline and prepare a first draft, extracting policies as needed
- Run the first draft document by the stakeholders for initial reactions, presentation suggestions, and implementation ideas
- Make changes to the draft in response to comments from stakeholders (expect that this step will repeat several times)
- Get top management to approve and sign-off on the policy (changes may be necessary here, in which case this step can repeat several times too)
- Prepare extracts of the policy document for selected purposes, for example for a form signed by users receiving brand new or renewed user-IDs and passwords
- Develop an awareness plan which uses the policy document as a source of ideas and requirements
- Create a working papers memo indicating the disposition of all comments received from reviewers (even if no changes were made)
- Write a memo about the project, what you learned, and what needs to be fixed so that the next version of the policy document can be: prepared more efficiently, received better by the readers, and more responsive to the unique circumstances facing your organization