Disclaimer: To protect the privacy of a former client, I have changed key details of this story, however the main sentiment and methods remain the same.
A few years ago, I orchestrated a jewel heist.
Yes, you read that correctly. While claiming a mysterious former life of crime is always intriguing, the truth is it was all in the name of compliance and I had explicit (albeit less interesting) permission from the jeweler's CEO.
Don’t get me wrong, I was no Box Man in this scenario. I didn’t need to be, especially since I’d been privy to the common security inconsistencies of the jeweler in question.
My job was to create, deploy, and enforce security procedures. When I’d noticed that the employees had not been following these procedures as strictly as I’d recommended...I had to try a different tactic.
I made my point the day I smuggled $20,000 in inventory from the main vault. The loss was enough to constitute a termination, and somehow this made them keener to heed my security warnings. They’d made a major procedural mistake by leaving the keys and safe combo in the same location. They’d served me the keys to the kingdom on a silver platter.
It was the easiest $20,000 I’d ever made and my oh my did they learn their lesson!
For the record, I returned the assets, but taking them had been too easy and it troubled me.
In my experience as a compliance expert, I’ve seen lax attitudes and confusion surrounding information security programs. More specifically: the policies, standards, procedures, and guidelines that make up the program. While these components are often (wrongly) used interchangeably, there are very distinct differences between them, and each one should be taken seriously to maintain security protocols and protect your organization. Clearly defining the roles of each of these components and enforcing them within your workplace are essential for upholding a strong security posture.
Before we dive into differentiating these four components, we need to first understand what an information security program is and why it is critical for your overall business operations.
What's an Information Security Program?
An information security program consists of the policies, standards, procedures, and guidelines your organization uses to protect critical IT assets, data, and other business processes. This program works because it identifies the factors that are or could impact the security of your assets, allowing you to create or alter policies, standards, etc. that directly address the issues.
Stealing the $20,000 in precious gems and metals allowed me to expose the vulnerabilities within the jeweler’s information security program. In this case, the lack of procedural follow-through was the culprit. Customized and targeted security measures can reduce incidents, eliminate vulnerabilities, and enhance your overall security posture. Each component has a vital role to play in keeping your business operations secure. Let’s start with the foundation: policies and work our way up to the guidelines.
Policies: The Institution-based Rules that Protect Your Assets
Policies are the foundation of any business and are necessary for creating a structurally sound and smooth-running organization. Policies are broad, high-level statements that provide direction and are typically flexible, but do not often change, as they don’t cover the ever-evolving nitty gritty of day-to-day operations. With policies in place, you have a high-level view of your Information Security Program.
An example of a policy could be, “the jewel vault must never contain over $50,000 in asset value at any given time.” This policy would require procedures to meet and maintain this policy and direct the staff.
Standards: The Mandatory Obligations that Protect Your Assets
Just like you can’t install the electrical components of your home without a certified electrician to ensure competent execution, you can’t run your business without meeting standards. These can be compliance specific, quality-specific (ISO), or otherwise. A standard specifies consistent uses for certain technologies or configurations. Some common standards include Cybersecurity Maturity Model Certification (CMMC), Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), ISO 22301, ISO/IEC 27001, among many others. As you can see, you adopt, implement, and abide by the standards that are applicable to your business. While standards didn’t directly apply to the jewel vault situation, the standard would be the staff’s obligation to the protection and privacy of customers’ data and assets as dictated by regulatory compliance.
Procedures: The Actions You Take to Protect Your Assets
Procedures are specific details or instructions on how to accomplish desired tasks and goals within your business. Consistent procedures are essential to every business as it improves efficiency and decreases error. As I mentioned above, the jewel heist was made possible by a procedural error from the staff. The procedure was to ensure vault security, store the code and the key in separate locations. Procedures are subject to change as you deploy new technology, your company grows, you acquire other companies, or other companies acquire your business.
Guidelines: The Best Practices You Develop to Protect Your Assets
Guidelines are essentially recommendations and that you’d typically apply when a standard doesn’t exist. You should consider guidelines as best practices. Going back to the jewel heist scenario: a guideline would be, don't leave the combo in a drawer that customers see you go into every time before you walk into the vault. People are smart. They will put 2 and 2 together and realize that you are grabbing the combo from the same location every time.
Another guideline or best practice that I often see (or don’t see) is employee password management and protection. The quote, “Passwords are like underpants, change them often, keep them private, and never share them with anyone” is a perfect example of a password management guideline.
Policies, standards, procedures, and guidelines all play a significant role in your Information Security Program. Although your policies are the foundation, standards and procedures are just as important, as they provide additional support to your program. Guidelines are the finishing touches filling in all the gaps wherever standards and procedures aren’t present to support the goals of your company.
Build Your Information Security Program
Now that you understand the differences between policies, standards, procedures, and guidelines, you can determine if your current information security program is serving your business and keeping your operations out of unnecessary risk. It shouldn’t take an enormous security breach to get your employees to take these components more seriously. Get your employees on board with the program and make sure you stress the importance of your defined protocol. If you need additional guidance to improve your information security program, check out our vCISO offering.
