In one of the blog articles, I wrote about "The importance of documentation," but today, I want to delve a bit further into the subject.
At some point, you must have heard that "paper accepts everything," and it's so true that it's very common for companies to participate in audits. When presenting evidence of how a process or policy is being executed, the auditor identifies that it's different from what was formalized on paper. Or people in the company disagree because one did it this way, but the other said it was different. Let's agree! Sometimes it becomes a mess because everyone is executing it the way they think it should be done, haha.
Making an analogy, not getting into the many details involved in creating a movie, but similar to how a movie script needs to be followed by all the cast members, security and privacy policies, norms, processes, and procedures need to be followed by your employees and other stakeholders. Just like there can be a series of bloopers before a scene makes it to the final product, it's common to have errors and failures when a new policy, for example, is introduced in the business context.
So here's the challenge! How do I ensure that what was formalized on paper is executed in practice?
I believe that first of all, every security and privacy policy, norm, process, and procedure, when created, needs to be communicated to everyone. And I'm not just talking about spreading the word through one channel. In this case, the intranet, email, instant messaging channels, or any other means should be used to disseminate them. Technically speaking, it's adopting the guidelines and/or recommendations from ISO/IEC 27002:2022 Control 6.3 "Information security awareness, education, and training," CIS v.8 Control 14 "Security Awareness and Skills Training," or NIST CSF (PR.AT) "Awareness and Training."
But it doesn't stop at communication; these documents need to be made available (published) in a centralized location so that if anyone has doubts, they can consult them.
All professionals involved in the campaign execution must be aware that their role is to evangelize employees, i.e., be change agents. In this way, both information security professionals and managers, including top management, should set an example and lead their professionals to do the right thing [...] (RAMOS, 2015, pg.55 - Book "Trilhas em Segurança da Informação").
It's important to reinforce that educational measures need to be periodic because things tend to be forgotten over time. At the beginning of a new policy, norms, processes, and procedures, "blooper" mistakes are normal, but with repetition, the "movie" comes to life (from paper to practice).
But please, for the sake of security and privacy, don't just go through the motions. Presenting beautiful and marvelous documentation to impress, but when push comes to shove, nothing happens as formalized.
=)