Any recommendations for how we can improve our security documentation?

1.5k views10 Comments

Head of IT and Security in Finance (non-banking), 51 - 200 employees
This is a very broad question and also depends on what you already have. If you already have the basics (strategy, guidelines, kpi...), I highly suggest you revisit the documents and update them at least twice a year. 
Head of Information Security in Finance (non-banking), 1,001 - 5,000 employees
Huge question. There are a lot documentation required for security. Specially, when cyber security incident is occurred, all incident response related documentations are must be regularly updated. Documentation review is good way to useful.
CISO in Healthcare and Biotech, 2 - 10 employees
Document from three perspectives - end user, support engineer and implementation.   It needs to be concise and complete with references.  Test for understanding and retention.  Make it easy to access, as needed.
VP of Information Security in Finance (non-banking), 201 - 500 employees
For policies, make sure you use natural business oriented language. state intentions and directions and avoid instructions and steps.
Make sure your procedures cover the steps needed and who needs to do them, making the as easy as possible to follow.
Experiment with having them read by someone outside your team, we tend to omit certain steps sometimes because we can automatically fill them from our minds.
Director, IT Security in Manufacturing, 10,001+ employees
Is the question geared more towards starting or restarting a documentation initiative? If so, I recommend to find a standard that aligns to the organization. For example, are having policies sufficient, or do you also need written standards and guidelines? 
Next, create a simple register of the different documents you have or you need to create. This helps with tracking and prioritizing. The register can be as simple as Unique ID, Document Name, Purpose, Owner, Review Date. 
From there, define a common template that can be used for all the documents. Either scour the Internet for a template you like or make one that fits your needs. As for content, I’ve found that it is easier to adapt and modify documentation content found online rather than creating content from scratch. For example, SANS has a lot of security policy examples that you can borrow from. 
Finally set a documentation review cadence (at least annually) to ensure the documentation is kept up to date.
Director of Information Security in Manufacturing, 1,001 - 5,000 employees
One thing that helped us (beyond the basic requirements to have at least some documentation), was to expose everything to comments.  When people in our It department, or even end-users now read a policy or another document they have the chance to comment on it, or propose changes.  Basically a Wiki setup.     The hidden benefit is that it forces the security team to express any thoughts and policies in an accessible, and business relevant language or risk being called out ;-)

Director of Information Security in Telecommunication, 10,001+ employees
Like many other users, I am inclined to reply that it is a very big question and also depends on what you already have. However, my suggestion would be to spend some time shaping your security documentation such as policies for your Business. Best practice documentation, that is aligned with security standards on paper, will need to be modeled to your environments and architecture.
Senior Vice President and Chief Information Security Officer in Energy and Utilities, 10,001+ employees
Make is easy and clear to understand for non security people, avoid technical jargon and acronyms etc. Be clear on the document's purpose and if applicable providing a business centric angle to why. Include scope in which the document applies and who should be reading it. Depending on the type of document, I like to start with an executive summary at the front of the document, try and answer the question first and allow the rest of the document to tell the story. Hosting your security documentation in an easy to find, central location always helps too.
CISO in Software, 201 - 500 employees
Understanding the documentation pyramid helps here. Structure documents as per intent. 
Policy - conveys Management Intent
Controls - Describe how policy intent is being achieved 
Process - Elaborate on how the implementation of each control is seen through (roles and responsibilities, input, output, timelines etc.)
Guidelines - indicate best practice, and good to have setup
Head Information Security Officer in Finance (non-banking), 11 - 50 employees
From your question one can assume that you already have security documentation in place.

Below are my two bits:

1. Ensure that your security documentation follows the industry standards. Ex: SANS etc.
2. Documentation should be specific to your organization's needs. Don't write stuff which is not applicable to you. You are making your and your team's life difficult as you will have to comply by those rules you are setting.

3. Policies - Keep them crisp, plain English (no jargons) and should be able tell an overall story of the rules that you are laying down. Procedures - should be detailed and simple to understand as one would need to follow them on a day-on-day basis as part of their duties.
4. Ensure that your documentation aligns with your organization's security goals. Also look out for any regulatory requirements that you may have and make it a point to cover that in your Policies and Procedures.
5. Periodic review and Version control - Make sure that you review it periodically (at least once a year) and have them approved by the senior management. Don't forget to add version control in each of your documents. Maintain a separate sheet (excel possibly) with a). the names of policies b). Changes made to them during every review cycle. c). The date when they were reviewed and approved. This helps in your subsequent yearly reviews.
6. Involve other stakeholders - Bring in people from other teams to review the policies and procedures and ask them to give their feedback. It achieves two things at once - you have more pairs of eyes looking at those documents where they might highlight points which you may have missed and you create security awareness amongst your peers.

Hope this helps!!

Content you might like

Way more involved5%

Somewhat more involved47%

A bit more involved30%

Security’s current role is adequate10%

A bit less involved4%

Somewhat less involved1%

Way less involved1%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.6k views132 Upvotes319 Comments

Significantly increase usage6%

Somewhat increase usage45%

No change in usage48%

Somewhat decrease usage0%

Significantly decrease usage0%

Don't know yet - too soon to say0%


344 views1 Upvote