There seems to be a fairly universal truth amongst information security folks: no one really enjoys creating documentation. This is unfortunate, as not only is documentation required by many standards, it can also help the organization run more smoothly. The documentation required by various standards tends to be fairly straightforward, and will be addressed in a later blog post. What I would like to address here are some of the reasons that, even if not required by any standard or regulation, documentation can improve your information security functions. Despite the fact that we work in information security and often see the dark underbelly of human nature, our experience tells us that in general, people want to do the right thing. They just don’t always know what the right thing is. Things that may seem simple or be second nature to those of us in the industry may be novel concepts to those outside our industry. As we know, the majority of users within most organizations are not information security experts, and often not even aware of basic information security tenets. This is where policies and procedures can make a valuable contribution. Policies around information security basics can provide direction to the user base. Requiring that users lock their machines when leaving their workstations and use complex passwords are simple examples of policies that can add some degree of security. While these may seem like obvious concepts, it is shocking how many organizations large and small lack even this basic level of direction. Be sure that policies directed towards the broad end user base are written in an easy to understand way, and specific directions are not buried amongst pages of text. Documenting information security procedures is especially important. Not only do procedures help ensure that tasks are completed in a consistent and repeatable way, they also help to facilitate transfer of institutional knowledge. Think about your own organization for a moment. How many tasks are performed by one person with no back up? What would happen if that person suddenly left the organization or was incapacitated? Would anyone else know how to complete the task? Written procedures are valuable under these circumstances and allow another person to complete the tasks. It is common during assessments to find organizations large and small with a lack of procedures. Information technology tends to be so wrapped up in day-to-day tasks that documentation falls to the wayside. While creating documentation may not be the most exciting part of the workday, it is an essential function. If you have any questions about documentation development, please feel free to contact us. This article was written by Alex Hamerstone (@infosecdoc) - Practice Lead: GRC