A big part of my job is conducting security audits or assessments of clients. In one assessment, I asked a client for some documentation, in this case a system design document, as is usual practice. I was told “We don’t do documentation just for audits”. Further discussion revealed that the client’s culture was one where documentation was considered unnecessary for many activities, including activities directly related to security. Needless to say, I found many issues with their information security posture.
All those policies, procedures, plans, standards, specifications and other documents that form a part of an information security management framework have a purpose and will, if done properly, provide security value to an organisation:
1. Documented policies and standards ensure consistent implementation across the organisation
People are going to perform tasks slightly differently if they have only their memory as reference. For example, when considering the security of a service provider, people may ask for different contract clauses. Or when configuring a network switch, different security settings might be applied.
It is impossible to ensure a consistent level of security if processes are being performed differently each time, meaning that it is likely that some activities will be performed at an inadequate level of security. Security documentation ensures a consistent level of security is maintained across the organisation, one that is planned and acceptable to the organisation.
2. Design documentation holds information that would otherwise be lost when staff leave
All people will eventually leave an organisation and when they do, they can take a great deal of information with them. This information would include how the system currently operates, external requirements that were placed on the system from legislation or contracts, or assumptions that were made in how the system would be used or operated.
This information is important for maintaining system security when making changes. With clearly documented engineering information, it can be known whether a proposed change will cause the system to still meet all its requirements or be able to protect its information adequately. It will also help to identify functionality that is no longer needed, allowing reprioritisation to more urgent security needs.
3. Documentation allow for iterative review and improvement of processes and systems
Organisations should aim to revise and improve their processes and systems over time. In the security field this is important because threats are constantly evolving and practices and technologies are always being improved.
Something must be understood by all stakeholders before it can be improved and then the new, improved process must be consistently implemented across the organisation. This is how an organisation as a whole improves its security over time and requires a good set of documentation to manage.
4. Documents provide evidence of the intent to carry out business activities a certain way
Documentation is necessary because it proves that the organisation intends to perform certain activities a certain way. This means secure processes aren’t the result of luck and secure networks are not a matter of chance. Documented policies and procedures provide assurance that security will be maintained into the future.
It is clearly a waste of resources to write documents that serve no purpose. However, clear and informative documents are important because they have a significant effect on the actual level of information security of an organisation, regardless of any need you have to be audited.