Your Security Policy Is So Lame
Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well.
I personally avoided being the “policy guy” until the patience of my management had finally expired. It was truly the job that none on the team wanted and it was my turn. My first step was pulling a security policy template book off the shelf. I remember that dust covered book very well. When working on the security policies, unexpectedly and out of no where it suddenly occurred to me - there is a great amount of influence when security policies are done properly. Sure, there are meetings with people who are not on your team, but working together is how anything meaningful gets done these days. I found that by working together with key business areas that security policies could be written so that more than just the auditor was interested in them.
The following are several tips and tricks you can use to make sure you move from "no good to great” security policies.
- Do not fail to add an expiration date to your security policies. Otherwise they get stinky, just like that jar of mayonnaise in your refrigerator. This will force you to both review and update them on a regular basis or risk being embarrassed because they are out of date.
- Do not ask anyone to memorize your security policies. Why waste time memorizing a reference document? Spend your time doing something meaningful instead, such as reviewing ways to implement the 20 Security Controls in your company.
- Do not use your security policy as an attempt to control small and often times personal issues. Instead, make sure your security policy addresses specific risk in your organization. Without a direct mapping to risk, it will be very easy to have too many security policies scattered all over the place.
- Do not have too many security policies. I recommend you hold up both hands right now and wiggle your fingers as you consider how many security policies you might actually need. I’ll wait.
- Will violation of your security policy eventually lead to the policy violator realizing their opportunity to violate security policy at a different company? It should - Otherwise your document is really a suggestion and not a policy.
- Do have your security policy stored in one single and easy to find location? It would be a shame to spend all that time and no one ever read your security policies. Reminds me of that story about a tree that falls in the forest.
One of the very best security policy resources you will find is just a click away at the SANS Institute website. Specifically, the SANS Information Security Policy Templates. There you will readily find many examples that you can customize and make your own.
What are you doing to make sure your security policy is not lame? Use the comments section to share what has worked for you.
Russell Eubanks
Follow me on Twitter @RussellEubanks
Keywords: Policy
4 comment(s)
My next class:
Performing A Cybersecurity Risk Assessment | New Orleans | Feb 17th - Feb 18th 2025 |
×
Diary Archives
Comments
Another way to help is to separate the user-facing policies from the IT facing procedure or standards documents. The specialist in the marketing department doesn't need to read about how you perform monthly penetration tests or patch your servers.
Anonymous
Aug 2nd 2015
9 years ago
Real business value emerges when we are able to clearly communicate with those who are outside our teams. To me this is a great litmus test - can someone who does not work in technology understand the security policy both quickly and clearly.
Russell
Anonymous
Aug 2nd 2015
9 years ago
Thing needs to end up in tech specs as they are called in IBM jargon. And clearly define what you mean by words like must, should etc. Only requirements, not recommendations are implemented by the operations people.
And for end-user facing policies, have HR write the text in a language they expect the average end-user to understand, and have HR distribute it.
A security policy is everything from a half page management approved principles down to a 1000+ pages tech specs collection.
Anonymous
Aug 5th 2015
9 years ago
I've seen too many people just make up policies and it tends to muck up the works with inconsistencies.
Anonymous
Aug 7th 2015
9 years ago