I’ve seen policies from lots of companies big and small. Generally, I’m a techie engineer so I don’t love policy. I’ve also seen a fair number of companies that clearly don’t follow their policy. I’ve also seen companies that get certifications like SOC 2 is a type of Service Organization Control (SOC) report that evaluates the effectiveness of an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. These reports are based on the Trust Services Criteria (TSC) developed by the AICPA and are commonly used by technology and cloud service providers to demonstrate compliance with industry standards and best practices. and ISO (International Organization for Standardization) is an independent, non-governmental international organization that develops and publishes standards for various industries and sectors, including cybersecurity. that are meaningless because they systematically lie and their auditors (not us, we don’t do auditing) never check lots of basic things we see. Sometimes the security teams at the companies aren’t lying, they just don’t even know the truth about their own company. I get it, there’s all kinds of reasons we can’t always have nice things.
In response to that, we spent a few years at Jemurai trying to write minimal policies that people could understand and follow. I even published a blog post last summer about it and we tried selling a minimal policy bundle off of our website. It seemed like a good idea at the time. I think the philosophy was generally sound in a pure sense.
The problem is, people use policy as a defense against auditors and without more explicit direction, you can’t say you have controls around a variety of things. You don’t even know you need to know the answer to questions about data loss protection or mobile devices in your network. Inevitably, sooner or later someone is going to run up against a SIG Lite is a simplified version of the SIG (Standard Information Gathering) questionnaire, which is a framework for assessing third-party vendor security risks. SIG Lite is designed to help organizations quickly assess a vendor's security posture and identify potential security risks. The questionnaire covers a range of security domains, including access control, data protection, incident response, and business continuity. SIG Lite is intended for use by smaller organizations or for assessing vendors with lower risk profiles, where a full SIG assessment may not be necessary. or a more exhaustive partner checklist or some trigger that forces them to articulate a more complicated policy.
To update our position on this, while staying arms length from auditing and full on policy work in the future, we developed policies in Markdown and published them to our private Github repo. They look nice and everybody can immediately see what the policies are and who changed them when. We can also track approvals using pull requests. For smaller tech companies this makes for a simple more digestible way to get, use and publish policy. It keeps it in a relevant and accessible place. We can share it with their security point of contact by letting them fork our policy in Github. They can subscribe to updates and merge our new best practices in as they evolve. So far, this seems to be a good direction.