Hey everyone,
At a previous job, I was introduced to role-based security policies, and I found them incredibly effective. These policies followed a clear structure like:
{Role} {Modal Verb} {Requirement}
For example:
- “The Information Security Officer MUST conduct an annual review of all security policies and standards.”
- “System Administrators MUST ensure that all server patches are applied within 30 days of release.”
This format was precise, made responsibilities clear, and was easy to audit.
However, at most other companies I’ve worked at since, policies seem to use a descriptive/narrative approach, such as:
- “All servers must have patches applied within 30 days to mitigate security risks. (...)”
While this approach provides context and background and reads more like a narrative story, it sometimes feels less actionable and harder to tie to specific roles or compliance efforts. Especially because you have text blocks including multiple controls.
My questions for you all:
- Which approach do you prefer in your organization – role-based or descriptive?
- Do you think one is inherently better for ensuring clarity and accountability?
- Does anyone know the origin or framework behind the role-based format?
Thx! I'm looking forward to hearing your thoughts.