It Is Our Policy

Published: 2016-07-23
Last Updated: 2016-07-23 18:11:20 UTC
by Russell Eubanks (Version: 1)
3 comment(s)

How many times have you heard someone say out loud our "our security policy requires..."? Many times we hear and are sometimes even threatened with "the security policy". Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons.
I regularly get the question, "How many security policies should I have”? My response is often found by raising my hands and wiggling my fingers in the air. There is nothing magic about the number of security policies, my observation is that many times there are more security policies than are actually needed.  
One of the most important aspects of a security policy, just like the jar of mayonnaise in your refrigerator, is an Expiration Date. This non technical control can help facilitate regular updates to account for current issues being faced and capabilities that may not have existed when the security policy was originally created. Think of this as a built in process to ensure that it is regularly reviewed - consider a recurring calendar reminder.
Should your employees be expected to memorize all of your security policies and is that even realistic for them? I hope not for their sake. What if you redefine the win by each of your employees knowing where to find the policy when faced with a decision? A Central Location for security policies, versus being spread all over your company is best and can serve as the set of guardrails to protect both the employee and the company. This will serve as a key resource for everyone to go to when regular faced with a decision of "is this allowed or not in the security policy”. 
Finally, as you start to develop or even assess the quality of your security policy, there are several Key Stakeholders, often outside of the information security team, who can provide valuable feedback specific to their respective areas.
  • Human Resources - Because many times employee behavior is involved in an incident
  • Legal - Because many times employee behavior is involved in an incident
  • Privacy - Because sometimes personally identifiable information is involved in an incident
  • Information Security - Because threats against company systems and data are involved in an incident
  • Physical Security - Because sometimes an employee needs to be encouraged to leave as a part of an incident
Take a look at the SANS policy website and look for any any topics that may be missing in your organization.
All that said, what two things can you do next week to improve your security policies? Let us know in the comments area!
Russell Eubanks

Keywords: Policy
3 comment(s)


I have a good security policy for my webserver, that was until google shopping insisted i leave my webserver open to the entire world... why they want this idk. I know this isnt logistics per se like you have in the diary, but if you arent looking for international buyers, and HUGE help for the security of your web server is a small iptables rule like such

iptables -I INPUT 1 -m multiport --ports 80,443 -m geoip ! --src-cc US -j DROP

this one single rule has stopped (please dont tell google i disobeyed them) many many many many many... i cant say it enough... many exploit attempts from all kinds of countries.

I dont have any more ports open to the general public, and sure i could probably write some OUTPUT rules but Im just not that lucrative of a target, and I dont sell anything to anyone outside the US through the site, I use eBay for that route.

Now this method requires that you update the ipv4 and ipv6 geoip databases, which shouldnt be an issue for most people, and the extension geoip is found in most linux distros packages as the xtables-addons or something simliar. very crucial
> many exploit attempts from all kinds of countries.

Isn't there one candidate for the Presidency of the USA who wants to build walls on the 49th parallel and on the USA's southern border? Is there a nickname for this type of isolationism?
Politics aside:

Traditionally firewalling is a process of "deny everything, then allow only that which I really need".

If I'm a local, regional, or national business - why should I expend limited resources on regions that have no business consuming them?

With that said: it doesn't stop anything. Anyone that really wants me is just going to VPN into a US-located service and hit me from there.

On the flip side of that: this is primarily "security through obfuscation" which is ineffective at very best. Real security is laid down in layers, and even though this doesn't buy anyone much, it buys the appropriate candidate _something_, so may be advantageous in those limited installations (acknowledging from the start those inherent limitations).

Diary Archives