Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

It Is Our Policy

Published: 2016-07-23
Last Updated: 2016-07-23 18:11:20 UTC
by Russell Eubanks (Version: 1)
0 comment(s)

How many times have you heard someone say out loud our "our security policy requires..."? Many times we hear and are sometimes even threatened with "the security policy". Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons.
I regularly get the question, "How many security policies should I have”? My response is often found by raising my hands and wiggling my fingers in the air. There is nothing magic about the number of security policies, my observation is that many times there are more security policies than are actually needed.  
One of the most important aspects of a security policy, just like the jar of mayonnaise in your refrigerator, is an Expiration Date. This non technical control can help facilitate regular updates to account for current issues being faced and capabilities that may not have existed when the security policy was originally created. Think of this as a built in process to ensure that it is regularly reviewed - consider a recurring calendar reminder.
Should your employees be expected to memorize all of your security policies and is that even realistic for them? I hope not for their sake. What if you redefine the win by each of your employees knowing where to find the policy when faced with a decision? A Central Location for security policies, versus being spread all over your company is best and can serve as the set of guardrails to protect both the employee and the company. This will serve as a key resource for everyone to go to when regular faced with a decision of "is this allowed or not in the security policy”. 
Finally, as you start to develop or even assess the quality of your security policy, there are several Key Stakeholders, often outside of the information security team, who can provide valuable feedback specific to their respective areas.
  • Human Resources - Because many times employee behavior is involved in an incident
  • Legal - Because many times employee behavior is involved in an incident
  • Privacy - Because sometimes personally identifiable information is involved in an incident
  • Information Security - Because threats against company systems and data are involved in an incident
  • Physical Security - Because sometimes an employee needs to be encouraged to leave as a part of an incident
Take a look at the SANS policy website and look for any any topics that may be missing in your organization.
All that said, what two things can you do next week to improve your security policies? Let us know in the comments area!
Russell Eubanks

Keywords: Policy
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

The life of an IT Manager
1 day ago by Deborah (3 comments)

Practice ntds.dit File
1 day ago by DidierStevens (1 comment)

Guest Diary, Etay Nir: Flipping the Economy of a Hacker
3 days ago by Richard (5 comments)

ASN.1 Anyone? CVE-2016-5080
3 days ago by Richard (0 comments)

Office Maldoc: Let's Focus on the VBA Macros Later...
4 days ago by DidierStevens (6 comments)

HTTP Proxy Header Vulnerability ("httpoxy")
5 days ago by Dr. J. (2 comments)

Python Malware - Part 3
1 week ago by DidierStevens (1 comment)

View All Diaries →

Latest Discussions

Firefox to banish hidden Flash files – and kill off sneaky ad snoopers
created 2 hours ago by Russell (0 replies)

BGP forums/discussion
created 4 days ago by Anonymous (0 replies)

Security Policies
created 1 week ago by Anonymous (0 replies)

Security Principle - Don't trust logs from the host in question.
created 1 week ago by Anonymous (4 replies)

Tracking EoL Software
created 4 weeks ago by SaltedSecurity (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
5 months ago by Dr. J. (25 comments)

An Approach to Vulnerability Management
4 weeks ago by Russell (13 comments)

CryptXXX ransomware updated
2 weeks ago by Brad (0 comments)

Microsoft Patch Tuesday Summary for May 2016
2 months ago by Alex Stanford (5 comments)

Python Malware - Part 3
1 week ago by DidierStevens (1 comment)