Effective organizational policies are essential for managing risk, but they can't just be set and forgotten. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Control GRC-03 reminds us of the importance of regularly reviewing policies and procedures to ensure they remain accurate and effective as the organization and threat landscape evolves. Let's explore why this often overlooked control deserves more attention.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a comprehensive set of cloud security controls mapped to various industry standards. For more background on organizational policies, the ISO/IEC 27001 standard and NIST SP 800-53 provide relevant guidance.
Who should care?
Several roles should prioritize this control:
- Chief Information Security Officers (CISOs) with responsibility for the overall security program
- Governance, Risk, and Compliance (GRC) managers with accountability for policy management
- Department heads with ownership of processes and procedures
- Internal auditors with an obligation to assess control effectiveness
What is the risk?
Outdated and inaccurate policies create significant risks:
- Inconsistent security practices leading to preventable incidents
- Delayed incident response due to unclear procedures
- Compliance violations and audit findings
- Unmitigated risks from changes in the organization or external environment
While GRC-03 alone can't eliminate these risks, regular policy reviews are a critical detective control to identify required updates before bad things happen.
What's the care factor?
For the target audience, this should be a high priority control, even if it's not the most exciting. Policies are the foundation of the security program. Investing a little time to review them regularly can prevent major headaches down the road. In a threat landscape that evolves daily, no organization can afford to rely on stale policies.
When is it relevant?
Annual policy reviews should be a standard practice for every organization. However, reviews are also essential when there are significant changes such as:
- Expansion into new markets or geographies
- Adoption of new technologies (e.g. cloud, IoT, remote work)
- Major security incidents or audit findings
- Revisions to relevant laws, regulations, or standards
Startups and small businesses with limited resources may deprioritize this control in favor of more pressing security needs. However, they should still aim for some level of regular review as the organization matures.
What are the trade offs?
Implementing this control does require an investment of time from various stakeholders. Tracking all the applicable policies, coordinating reviews, updating documents, and communicating changes org-wide is not trivial. There may be resistance from process owners who see reviews as disruptive or unnecessary.
However, these costs pale in comparison to the consequences of a major incident that could have been prevented with up-to-date policies. And by detecting policy gaps early, reviews often end up saving time and effort in the long run.
How to make it happen?
To implement an effective policy review process:
- Inventory all security policies and map to owners
- Establish an annual review schedule, with more frequent targeted reviews as needed
- Create a standard review checklist covering aspects like:
- Alignment with current standards and best practices
- Consistency with other organizational policies
- Relevance to existing and emerging risks
- Feasibility of implementation with available resources
- Conduct reviews with representation from security, IT, legal, HR, and relevant departments
- Update policies to address gaps and inconsistencies
- Obtain management approval for revised policies
- Communicate policy changes to all employees and provide training where needed
- Monitor adherence to updated policies and procedures
What are some gotchas?
A few things to watch out for:
- Policy owners need sufficient authority and resources to implement identified changes
- Reviews should cover the full policy lifecycle including enforcement and exceptions
- Relevant compliance obligations (e.g. GDPR, HIPAA, PCI-DSS) need to be considered
- Supporting technical standards and guideline documents also require regular review
- Excessive or overly granular policies can become infeasible to maintain and review
What are the alternatives?
While there is no direct substitute for policy reviews, some complementary practices include:
- Real-time monitoring of security controls to detect policy violations
- Table-top exercises to stress test response procedures
- Post-incident reviews to identify policy gaps or failures
- Tracking of relevant industry developments and threat intelligence
However, these practices inform but don't replace the need for a comprehensive policy review process.
Explore further
For a deeper dive into organizational policy management, check out:
- ISO/IEC 27001 Information Security Management Standard
- NIST SP 800-53 Security and Privacy Controls
- SANS Policy Templates and Resources
- CSA Cloud Controls Matrix (CCM) GRC domain
The GRC-03 control also aligns with the CIS Critical Security Control #14 ("Security Awareness and Skills Training") and #17 ("Incident Response Management").
?