Company security policy: How to write standard work instructions

Writing work instructions to go along with information security processes takes a great deal of effort, but the rewards can include increased security and smoother disaster recovery. Learn more in this expert tip from Michael Cobb.

In my recent article on creating a company security policy document, I discussed the importance of incorporating a comprehensive documentation initiative within your security strategy. Not only is documentation essential if you are looking to comply with or align your security practices to a standard such as ISO 27001:2005, but it's also necessary if you want to ensure your information systems remain secure and compliant if staff leave or are unavailable due to sickness or injury.

 With many sectors of the economy struggling, redundancies and staff turnover are relatively high. Thus, if key personnel leave for whatever reason, it's important to ensure the critical knowledge required to maintain your IT infrastructure doesn't leave with them. This is one reason why detailed work instructions are such an important part of a document set. They help ensure an organisation is not reliant on one individual's knowledge to maintain its security controls.

Standard work instructions (often referred to as standard operating procedures or process instructions) set out formalized step-by-step activity-specific instructions for carrying out a particular task, such as updating antivirus software and running scans. Every work instruction needs to be detailed enough that someone with similar skills could easily repeat the task to the required standard. Ensuring consistency in IT processes is a critical component for ensuring security.

Work instructions exist as important supporting documentation for your policies and procedures. For ISO purposes, they are level-three documents, which means they detail how to do something, whilst procedures are level two, which means they cover who does what and when. They are separated out from procedure documentation for reasons of clarity, and because they are often subject to regular adjustment due to changes in system hardware and software.

The procedure that work instructions support will indicate who has the authority to trigger the process and why, plus any events or dates that will trigger when the procedure must be run and the work instructions used. (Most procedures should be run at least yearly, just to test them if nothing else.)

Work instructions are always required when a process is either complex or involves many tasks. The number of work instructions you'll need to create will obviously depend on the size and nature of the organisation's activities, but even a small organisation should end up with a comprehensive set of documents.

Each set of work instructions should start by including:

  • its version control number;
  • its classification -- some work instructions may contain sensitive system information;
  • which information asset(s) it applies to;
  • its purpose and when it is used, and;
  • who has what responsibilities.

The main section of the work instructions will be the detailed instructions. If the work instructions cover a critical or highly complex process, each step should also detail who has the authority to instigate it and who is responsible for completing it. Never assign more than one person responsibility, otherwise each may think the other has completed it, and if a problem occurs, you could end up with finger pointing.

The easiest way to document procedure steps is through a simple outline format detailing each of the steps and any sub-steps involved. You may want to include screenshots if the procedure has anything to do with software, or scanned images if hardware ports or internal connections, such as jumpers, are involved.

The work instructions should also state what information the person(s) carrying out the task needs to know and whether there's any specific training or certification that they need. This also helps build up a true picture of the skill sets the organisation requires to run a secure system and will help HR with job descriptions and recruitment.

Finally, your work instructions should end by stating:

  • who is responsible for and maintains/oversees the work instructions themselves;
  • when it is due to be reviewed;
  • what events can trigger an unscheduled review;
  • where the document is located, and;
  • who has signed and approved it.

Creating an effective set of work instructions is an ongoing process, not a one-off project. Many organisations put in an incredible amount of work to get their work instructions completed, but then take little time or effort to ensure they remain current and effective. You won't realistically be able to tell if work instructions are effective until you actually use them. You can use them to train future staff, so clarifications and improvements should be considered each time they're used: They are far from static documents that can be written and forgotten.

I often come across security documents that have obviously been cut and pasted verbatim from examples or similar documents on the Internet. Creating work instructions is a time-consuming and often tedious task, but copying other people's work instructions rarely works. By all means, use others' work instructions as guides for what type of information these documents should contain, but copying someone else's will include unnecessary, irrelevant and misleading text.

A work instructions document should cross-reference any other procedures that support it. For example, a work instruction covering sending faxes will need to cross-reference the document that covers information classification requirements. It is also helpful if work instructions include or reference a checklist of what information or tools are required and who needs to be notified before beginning the procedure. And of course, once the tasks in the work instructions document have been completed, the relevant records and logs need to be updated and signed off to say who completed them and when, along with any notes or observations. Notification of the completed task should be sent to all relevant parties.

Like any other documents relating to a security policy, all work instructions documents should be protected and controlled with a documented procedure to define the management actions needed to approve, review and update them and ensure they're available to those who need them.

Though it requires a lot of effort, creating work instructions for every task and process involved is well worth the investment for maintaining your security controls. A good set of work instructions will help preserve vital knowledge within your organisation and ensure consistent implementation of your security policies.

About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Content Continues Below

Read more on IT risk management