Professional Documents
Culture Documents
2004 - From Policies To Culture
2004 - From Policies To Culture
2004 - From Policies To Culture
www.elsevier.com/locate/cose
a
Department of Information Technology, Port Elizabeth Technikon, Port Elizabeth 6000, South Africa
b
Rand Afrikaans University, Johannesburg 2000, South Africa
KEYWORDS Abstract Management normally sets company vision, rules and regulations
Security policy; through policies. These policies should provide guidance to employees and partners
Organizational as to how they should act and behave to be in line with management’s wishes.
culture; These policies need to be structured and organized effectively to cater for business
Security culture; and technological dynamics and advances. Having defined a series of company pol-
Security education; icies does not ensure that all employees will necessarily obey these policies. Ideally
Security behaviour these policies must manifest in some company culture to ensure appropriate behav-
iour. This can only be achieved through a proper education process. This paper
addresses exactly the process of integrating policies, education and culture.
ª 2004 Elsevier Ltd. All rights reserved.
0167-4048/$ - see front matter ª 2004 Elsevier Ltd. All rights reserved.
doi:10.1016/j.cose.2004.01.013
276 R. von Solms, B. von Solms
various levels of abstraction, on how policies can only half of the equationdstaff need to know
be implemented to effectively influence the be- how they should comply, from a procedural per-
haviour of employees. The paper will address the spective’’ (RUsecure, 2002, online).
topic from an information security point of view, Therefore, the intent of senior management
but the results should be applicable to most disci- might be pure, the policies defined crystal clear
plines. The paper will firstly analyse precisely what and detailed procedures provided, but the result
is meant by the word policy and how it relates to not as desired. Especially not in the world of infor-
the discipline of information security. This will be mation security, as seen from the previous para-
followed by an analysis of a possible relationship graph. The question that arises is how the intent
between policies and creating a culture. An exam- of top management can manifest in the actions
ple, from Christianity and Judaism, indicating how of the employees?
laws and directives cultivated a culture will be dis-
cussed and this will be mapped onto the discipline
of information security. Finally, a graphical model Policies and culture
will be devised and put into general context.
To ensure that the actions, creations and artefacts
of employees satisfy the sentiment of manage-
ment, as spelt out in their company policies, it is
What is a policy? important that an appropriate group culture is
cultivated. If such a group culture manifests, and
A policy can be defined as (1) ‘‘a course of action, this culture is in synchronization with the underly-
guiding principle, or procedure considered expedi- ing policies, then it would ensure acceptable ac-
ent’’ or (2) ‘‘a certificate of insurance’’ (The tions and behavioural patterns of the individual
American Heritage Dictionary, 2000). From this group members. The objective is thus to develop
definition it can be deduced that a policy refers a group culture, where all actions and creations
to, firstly, action that needs to be taken or a proce- of group members (employees) are in line with
dure that needs to be followed and, secondly, the vision of management.
a statement or declaration that can be made. How can such a culture be developed and pre-
Thus, if the procedure is followed correctly, then cisely what does it entail? To answer these ques-
the ‘certificate of insurance’ should be intact. tions, it is important that one first defines what
A procedure can be defined as ‘‘a series of steps a culture is and then how a culture is cultivated.
taken to accomplish an end’’ (The American Schein (1992) defines the culture of a group as
Heritage Dictionary, 2000). If this series of steps follows: ‘‘A pattern of shared basic assumptions
is followed meticulously, it should result in the that the group learned as it solved its problems
wish of management (as spelt out in the policy) of external adaptation and internal integration,
being met and thus in that the original intent of that has worked well enough to be considered val-
the policy is ‘insured’. id and, therefore, to be taught to new members as
Senior management is responsible for the well- the correct way to perceive, think, and feel in re-
being of the organization. Therefore they need to lation to those problems.’’ This definition basically
clearly spell out their direction for the company addresses two issues, firstly, the shared basic
to be successful. This direction is spelt out by means assumptions of the group need to be defined and
of a series of policies. These policies will communi- secondly, these assumptions need to be taught to
cate certain aspects to external parties, and also to everybody who forms part of the group.
fellow employees. The objective of the policies, to To define and develop the shared assumptions
internal parties, is to influence and determine their that are acceptable to both management and the
course of action. Thus, management indirectly de- group members is a major task. Management,
termines the actions of the employees to serve through drafting a series of policies, would define
the interests of the organization. what they expect from the group members. These
In an information security program, people are policies must be acceptable to the group mem-
often referred to as the weakest link. Russell bers, especially as far as basic assumptions and be-
(2002) and Voss (2001) reiterate this statement liefs are concerned. Everybody must agree that
by highlighting that human error is often the root these are for the benefit of the organization, as
cause of problems in some of the most technolog- well as that it is not infringing on any of the indi-
ical implementations. Information security policies vidual’s personal assumptions and beliefs. Schein
create a solid platform to implement secure prac- (1992) defined an organizational culture model,
tices in an organization. ‘‘Knowing the policies is as depicted in Fig. 1.
From policies to culture 277
policy. For example, an access control pol- B ‘‘teach them to your children’’,
icy, an Internet policy, a network security B ‘‘repeat them when you are at home, when
policy, etc. you are away, when you are resting, when
you are working’’,
The laws are supported by a series of directives
B ‘‘tie them to your arms’’,
(Bible, Ex 25e32). These directives state how,
B ‘‘wear them on your foreheads’’ and
where and when God must be served. These
B ‘‘write them on the door posts of your
directives are grouped for different situations
houses and on your gates’’.
or groups of followers.
Thus, a series of procedures that is logically Thus, the policies and procedures should be
ordered, prepared in a non-technical way and properly communicated to ALL parties,
specifically spelling out actions and behav- regularly refreshed, posted on prominent
iour, should interpret the executive and places to be seen, become part of every
secondary level policies for the employees. individual, etc. Only then has it got a proper
A series of procedure documents addressing chance to influence the behaviour of the
the proposed actions of, amongst others, employees to such an extent that it might
computer end-users, the department of manifest in a company culture.
human resources, third party consultants, A continuous information security awareness
etc. needs to be compiled. program should be in place to ensure initial
education, and also regular updates and
The suggested framework of how policies and reminders.
procedures should be arranged to ensure that con-
ceptual ideas of top management are effectively The 10 commandments, written by God on two
interpreted and logically communicated to the stone tables, eventually played a central role in
employees, is presented in Fig. 2. the religious beliefs of many people and influenced
The matter of the fact is that unless policies the culture and therefore behaviour of many
and procedures are properly communicated and nations over thousands of years. Similarly, the
educated to employees, the chances that they will wishes, dreams and vision of top management, as
manifest in their behaviour and culture are minimal. spelt out in an executive level policy, should strive
to eventually influence the behaviour of employ-
The Bible (Deut 6:6e9) states:
ees by creating a company culture, acceptable to
B ‘‘never forget these commands’’, all parties involved. To achieve this, two aspects
Executive
Information
Security
Policy
Procedures for
3rd Parties
HR
Procedures
End- user
Procedures
Figure 2 Hierarchical ordering of (a) commandments, laws and directives and (b) executive and secondary level
policies and procedures.
From policies to culture 279
are of critical importance. Firstly, the policies and subsequent actions and behaviour from these par-
procedures should be defined in a proper framework ties will necessarily be according to these policies.
to ensure that management’s conceptual ideas are One way to ensure that employee actions, behav-
entrenched in a series of logically structured docu- iour, artefacts and creations are according to com-
ments. These documents should cater for dynamic pany policies is to align these with company culture.
business and technological fluidity, and also hide This paper highlighted the importance of ensur-
technical detail when not required. Secondly, these ing that company policies are effectively struc-
policies and procedures should be communicated to tured and organized, and also, that unless these
all employees through a well defined process of policies and procedures are effectively communi-
education, reminders, refresher courses, etc. If this cated and educated to employees, the chances
is not done properly and continuously, the effect of that they will manifest in company culture are
the executive level information security policy minimal. Thus, for policies to dictate company cul-
might never manifest in some organizational cul- ture, proper education and communication on
ture. This will mean that most company rules and a continuous basis are imperative. A lot of re-
regulations will have to be enforced and continu- search still needs to be done to effectively imple-
ously policed. It will not become embedded in the ment this principle.
everyday behaviour of the employees, and thus
a company culture, which is obviously the ideal.
If information is important to an organization,
top management should clearly spell out their sen- References
timent in this regard in an executive information
security policy. Ultimately, top management Bible. Good News Bible. Bible Society of South Africa, SA;
would like all employees and partners to share this 1994.
sentiment with them and ensure that proper infor- BS 7799. Code of practice for information security manage-
ment. UK: British Standards Institute; 1999.
mation security controls are introduced and ad-
National Centre for Manufacturing Sciences (NCMS); 2002.
hered to. For this reason, a series of supporting Available from: http://www.ncms.org/2201/membership/
policies needs to be defined, implemented and ed- policies.htm. [Accessed 21 November 2002].
ucated to the parties concerned. Hopefully, this RUsecure information security policies; 2002. Available from:
education will become entrenched in employee http://www.information-security-policies.com/policies.htm.
[Accessed 21 November 2002].
behaviour to such an extent that an information
Russell C. Security awarenessdimplementing an effective
security culture is cultivated. At this point, man- strategy; 2002. Available from: http://rr.sans.org/aware/
agement can feel satisfied that their sentiment sec_aware.php. [Accessed 21 November 2002].
about the importance of information security, Schein E. Organizational culture and leadership. 2nd ed. Jossey-
has actually been manifested in the everyday lives Bass; 1992.
The American Heritage Dictionary. 4th ed. Houghton Mifflin
and actions of employees, providing proper pro-
Publishing Company; 2000.
tection to information resources. University of Texas Medical Branch (UTMB); 2002. Available
from: http://www.utmb.edu/policy/rehab/search2/01-00-
01.pdf. [Accessed 21 November 2002].
Voss BD. The ultimate defence of depth: security awareness in
Conclusion your company; 2001. Available from: http://rr.sans.org/
aware/ultimate.php. [Accessed 21 November 2002].
Top management is ultimately responsible for the
Rossouw von Solms is a professor in Information Technology at
well-being of an organization. They normally use
the Port Elizabeth Technikon in South Africa. He has published
policies to spell out their management support and presented numerous papers in the field of information secu-
and direction. These policies need to be communi- rity. He has been a member of IFIP TC11 since 1995.
cated and interpreted to all submissive parties.
One of the important objectives of these policies Basie von Solms is a professor in Computer Science at the RAU-
is to prescribe the actions and behaviour of these Standard Bank Academy for Information Technology at the Rand
Afrikaans University in South Africa. He has authored more than
parties. The fact that these policies, and associated 70 papers in the field of information security. He is currently
procedures, are communicated and educated a vice-president of IFIP and the immediate past-chairperson
to employees and partners does not ensure that of IFIP TC11.