Making “Crusty” Security Policy Agile Enough for Our Startup
As HealthJoy grows, we’re actively leveling up our security framework, which means a lot more security policies. We recognized that these changes create a need for a different way to create and distribute policies — one that was as flexible and agile as our startup, rather than immutable (and exclusively our IT and Security Team’s domain). We wanted to meet all our internal teams where they were comfortable, rather than bearing down on them with new barriers to their work.
Since so many of our improvements require partnering with our Product and Engineering teams, we decided to build out our policy documentation (including procedures, auditing tasks, and SLAs) where those teams live: Atlassian’s Confluence and Jira.
I don’t know anyone who enjoys even skimming technical security policies (unless they wrote them?). At the same time, they’re really important documentation for operating consistently and predictably, establishing boundaries and expectations, and holding each other accountable.
Thankfully, while writing our policies in Confluence wasn’t necessarily more entertaining, it's reduced some of the complexity and other access barriers that can weigh them down.
It also matters that we meet other teams where they are, and that means finding a common language. We like to start with the question, “Does the [IT, DevOps, Marketing] team already have written procedures in a language and style they can understand and access somewhere?” Great! We find where they align, and reference those existing procedures inside the security policy.
Perhaps one set of comprehensive procedures covers multiple policies: our policies can self-reference, too. No need to spend time reinventing the wheel by rewriting (and updating for minor changes like a different link or step in a process). By making connections between policies, we strengthen the larger security story behind the controls.
To make progress on implementation and hold folks accountable, we can create and assign tasks to the relevant team’s Jira project straight from the policy document.
Redefining Policy Documentation
Policy documentation is necessary, but all too often, it can feel “old and crusty.” We’ve worked hard to innovate better ways to integrate improved security measures and avoid suddenly bombing our teams with a bunch of rules in an unfamiliar language. By knocking out those traditional barriers and leveraging the great platforms and processes we already use, we meet teams where they are, and ultimately, drive positive change in both our security and our culture.
[Shoutout to my 2020 MVP fantasy football players: Derrick Henry & Younghoe Koo]