Any recommendations for how we can improve our security documentation?

Security & GRCProcess Management
1.6k viewscircle icon8 Comments
Sort by:
Head Information Security Officer in Finance (non-banking)3 years ago

From your question one can assume that you already have security documentation in place.

Below are my two bits:

1. Ensure that your security documentation follows the industry standards. Ex: SANS etc.
2. Documentation should be specific to your organization's needs. Don't write stuff which is not applicable to you. You are making your and your team's life difficult as you will have to comply by those rules you are setting.

3. Policies - Keep them crisp, plain English (no jargons) and should be able tell an overall story of the rules that you are laying down. Procedures - should be detailed and simple to understand as one would need to follow them on a day-on-day basis as part of their duties.
4. Ensure that your documentation aligns with your organization's security goals. Also look out for any regulatory requirements that you may have and make it a point to cover that in your Policies and Procedures.
5. Periodic review and Version control - Make sure that you review it periodically (at least once a year) and have them approved by the senior management. Don't forget to add version control in each of your documents. Maintain a separate sheet (excel possibly) with a). the names of policies b). Changes made to them during every review cycle. c). The date when they were reviewed and approved. This helps in your subsequent yearly reviews.
6. Involve other stakeholders - Bring in people from other teams to review the policies and procedures and ask them to give their feedback. It achieves two things at once - you have more pairs of eyes looking at those documents where they might highlight points which you may have missed and you create security awareness amongst your peers.

Hope this helps!!

Asst. Director Information security in Software3 years ago

Understanding the documentation pyramid helps here. Structure documents as per intent. 
Policy - conveys Management Intent
Controls - Describe how policy intent is being achieved 
Process - Elaborate on how the implementation of each control is seen through (roles and responsibilities, input, output, timelines etc.)
Guidelines - indicate best practice, and good to have setup

Senior Vice President and Chief Information Security Officer in Energy and Utilities3 years ago

Make is easy and clear to understand for non security people, avoid technical jargon and acronyms etc. Be clear on the document's purpose and if applicable providing a business centric angle to why. Include scope in which the document applies and who should be reading it. Depending on the type of document, I like to start with an executive summary at the front of the document, try and answer the question first and allow the rest of the document to tell the story. Hosting your security documentation in an easy to find, central location always helps too.

Director of Information Security in Manufacturing3 years ago

One thing that helped us (beyond the basic requirements to have at least some documentation), was to expose everything to comments.  When people in our It department, or even end-users now read a policy or another document they have the chance to comment on it, or propose changes.  Basically a Wiki setup.     The hidden benefit is that it forces the security team to express any thoughts and policies in an accessible, and business relevant language or risk being called out ;-)

Vice President & CISO in Manufacturing3 years ago

Is the question geared more towards starting or restarting a documentation initiative? If so, I recommend to find a standard that aligns to the organization. For example, are having policies sufficient, or do you also need written standards and guidelines? 
Next, create a simple register of the different documents you have or you need to create. This helps with tracking and prioritizing. The register can be as simple as Unique ID, Document Name, Purpose, Owner, Review Date. 
From there, define a common template that can be used for all the documents. Either scour the Internet for a template you like or make one that fits your needs. As for content, I’ve found that it is easier to adapt and modify documentation content found online rather than creating content from scratch. For example, SANS has a lot of security policy examples that you can borrow from. 
Finally set a documentation review cadence (at least annually) to ensure the documentation is kept up to date.

Content you might like

Do you accept payments in crypto currency?

Yes, we do today.10%

No, but we plan to in the next 6 months.34%

No, but we plan to further in the future.10%

No, and we have no plans to.44%

View Results

Which is the more realistic and sensible approach to ransomware protection and mitigation?

Encrypting data so if we are hacked, the data can't be read or exploited35%

Multi-factor authentication and phishing awareness training is enough to stop attacks before they get in54%

Something else (comment below)9%

View Results

Which process mapping software does your organization use to map out current processes and future workflows?

We have a servicing organization within IT segmented by applications and has 3 different director teams supporting overall pieces which is creating confusion, misalignment and becoming harder to support one business area.  Components considered within this org are: PEGA products (NCompass, G&A), Genesys Cloud,  Google, Member Portal and Member Mobile.   How should i look at proposing a new target state Org considering all these aspects/products? Any ideas?

We implemented Oracle HCM recently including Redwood.  Defining the long term plan for support, we face challenges with our Oracle Security knowledge depth specifically (defining and maintaining roles/ SOD/ SOX etc). Is there anyone who has experience in setting this up after a successful Oracle HCM plus Redwood implementation and would like to share best practices with me?