Managing information security policies is an ongoing task – it doesn't stop once the policy has been written and approved by the board. Storing policies in one long document and sharing that with everyone is not manageable long-term. As your business changes, it is important to make sure your policies and people can keep up.
This is why many businesses are turning to policies management software. If you choose to use software to store and update your organization's policies, the software should make managing policies much easier.
In this article, we will look at the top features to consider when evaluating a policies software solution, including features related to policy wording and structure, custom policies and categories, creating an acceptable use policy, download documents, and more.
Policy Wording & Structure
Writing policies is time-consuming work and requires a deep knowledge of a business' people, processes, and technology. Because of this, it can be helpful to partner with some experts when writing the policies. This helps supplement knowledge in areas outside your expertise.
Look for software that will help you build your policies.
Now, when we say, "help you build your policies," we don't mean "get a cookie-cutter policy." Good policies should be specific to your business. Here are a few features you can look for to make sure you're getting just that.
- Look for a questionnaire. Questionnaires often ask about things like your organization's structure, size, technologies, and requirements. The questions should provide multiple answer options and there should be a way to leave comments as you go. The reason a questionnaire is helpful is because it can take your answers and use that info to generate custom-policy language, tailored to your business.
- Look for an easy-to-read format. All your policies should be written in a similar structure, whether it is policies generated by the software or ones you add later. In general, a good policy structure would include a policy statement,commentary, implementation procedures, related policies, and review items. (For more on this topic, check out our blog: Key Sections of an Information Security Policy.)
- Look for a way to track changes. Whether you're changing an entire section or simply adding a comma, a good policies software should keep up every time you click "Save." If there's a policy you don't need, but want to keep for future record, there should be a way to easily exclude it from your list of policies without completely deleting it.
Custom Policies & Categories
There's no doubt about it: Template policies can save you the work of starting your own policies from scratch. However, there may be times you want to create your own, or maybe you already have policies you want to keep using, but they just need a little sprucing up. If any of this sounds like you, there's a feature for that.
Look for software that guides you through creating your own custom policies.
Here's what we mean by that:
- Look for categories. When you create custom policies, you should be able to keep them with policies of a similar nature. For example, you wouldn't want to jump from "Staffing" (Human Resources) to "System Hardening" (Information Security) in the same blink. Ordering policies by category provides better organization, flow, and consistency across multiple policies.
- Look for subcategories. Take it to another level. For example, instead of just grouping all your "Information Security" policies under one umbrella, make it so that they can exist in perfect little silos for "Physical Security," "Technical Security," and "Administrative Security." Subcategories let you group common themes and ideas together which is better for everyone.
- Look for access roles. If you organize your policies by category, you would also want to make sure the right people can access them at the right times and in the right ways. Look for levels of access at both the top and the category level (e.g., admin, user, read-only, etc.).
Acceptable Use Policy
Your policies are only as good as the people carrying them out. This is why it is super important to make plans for sharing and asking your employees to sign off on the parts that apply to them. In the banking industry, we call this an "Acceptable Use Policy" or "AUP." With an AUP, you can include the most important parts of a policy and leave out the extra details that don't apply to everyone.
Look for software that best communicates your AUP.
When you're ready to provide the AUP to your employees, make sure the software offers multiple formats. Specifically:
- Look for a read-only access role. Just let users sign into the software to see it.
- Look for a download document.Maybe you're more of a "paper trail" kind of person. If that's you, having a good, printable download can help.
- Look for a learning management system (LMS). Best of all, look for an option that lets you enroll users in a training course, click through some easy-to-read slides, and electronically sign off on the AUP. Before you know it, your AUP can be as easy as 1-2-3.
Of course, one reason policies are written is so that other people can see them. While granting access to the software is one option, as we mentioned above, one other question you want to ask is, "How can I get my policies out of the software?"
Look for software with easy-to-read download documents.
Here are some specific things to consider for a policies management software:
- Look for template policy documents. The policies software should have documents that are ready to go with a click of a button. You want all your policies? Great. You want one of your policies? Can do. You want just the changes from the last time the polices were approved? You bet. Your policies software should make it easy to just click and go.
- Look for a custom-document builder. A custom-document builder makes it possible to export only the policies and sections you want. For example, there may be times you wish to export your entire policy library in one document for an examiner to review, but if you're going to the Board, maybe you just want a shorter, high-level summary for each policy. Custom-document builders make it possible to do just that.
- Look for skimmable formatting. Policy documents can get pretty lengthy. The documents generated by the policies software should be as easy to navigate as the software. Look for a helpful table of contents, clearly visible headers, and formatting that flows. Physical document structure matters to your readers. Be sure it matters to you.
The goal of policies software is to make your life easier and make your policies more manageable. If you're looking for a next step, download our Policies Software Review Excel Tool for a more exhaustive list of features you may want to consider when evaluating potential policy management solutions.