Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Your Security Policy Is So Lame

Published: 2015-08-02
Last Updated: 2015-08-02 00:20:56 UTC
by Russell Eubanks (Version: 1)
0 comment(s)

Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well.
 
I personally avoided being the “policy guy” until the patience of my management had finally expired. It was truly the job that none on the team wanted and it was my turn. My first step was pulling a security policy template book off the shelf. I remember that dust covered book very well. When working on the security policies, unexpectedly and out of no where it suddenly occurred to me - there is a great amount of influence when security policies are done properly. Sure, there are meetings with people who are not on your team, but working together is how anything meaningful gets done these days. I found that by working together with key business areas that security policies could be written so that more than just the auditor was interested in them.
 
The following are several tips and tricks you can use to make sure you move from "no good to great” security policies. 
 
  • Do not fail to add an expiration date to your security policies. Otherwise they get stinky, just like that jar of mayonnaise in your refrigerator. This will force you to both review and update them on a regular basis or risk being embarrassed because they are out of date.
 
  • Do not ask anyone to memorize your security policies. Why waste time memorizing a reference document? Spend your time doing something meaningful instead, such as reviewing ways to implement the 20 Security Controls in your company.
 
  • Do not use your security policy as an attempt to control small and often times personal issues. Instead, make sure your security policy addresses specific risk in your organization. Without a direct mapping to risk, it will be very easy to have too many security policies scattered all over the place.
 
  • Do not have too many security policies. I recommend you hold up both hands right now and wiggle your fingers as you consider how many security policies you might actually need. I’ll wait.
 
  • Will violation of your security policy eventually lead to the policy violator realizing their opportunity to violate security policy at a different company? It should - Otherwise your document is really a suggestion and not a policy.
 
  • Do have your security policy stored in one single and easy to find location? It would be a shame to spend all that time and no one ever read your security policies. Reminds me of that story about a tree that falls in the forest.
 
One of the very best security policy resources you will find is just a click away at the SANS Institute website. Specifically, the SANS Information Security Policy Templates. There you will readily find many examples that you can customize and make your own.
 
What are you doing to make sure your security policy is not lame? Use the comments section to share what has worked for you.
 
Russell Eubanks
Follow me on Twitter @RussellEubanks
 
Keywords: Policy
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Tech tip follow-up: Using the data Invoked with R's system command
1 day ago by Russ McRee (0 comments)

Tech tip: Invoke a system command in R
2 days ago by Russ McRee (0 comments)

Malicious spam continues to serve zip archives of javascript files
4 days ago by Brad Duncan (6 comments)

Android Stagefright multimedia viewer prone to remote exploitation
4 days ago by Rick (2 comments)

Guest Diary: Xavier Mertens - Integrating VirusTotal within ELK
4 days ago by Alex Stanford (2 comments)

Angler's best friends
6 days ago by Daniel (3 comments)

froxlor Server Management Portal severe security issue
4 decades ago by Russ McRee (0 comments)

View All Diaries →

Latest Discussions

Systematic port scanning using a very set of IP addresses
created 5 days ago by RG (0 replies)

Fake BSOD used to scam end users
created 1 week ago by SSturby (0 replies)

Adobe releases Flash player 18.0.0.203 - addresses Flash vulnerability revealed in Hacking Team compromise
created 3 weeks ago by Brad Duncan (1 reply)

Can HPKP be used in persistent denial-of-service (DoS) attack on web sites?
created 3 weeks ago by Brad Duncan (0 replies)

Detecting lateral movement by NIDS/IPS (netcat or psexec)
created 1 month ago by DrGreen (2 replies)

View All Forums →

Latest News

View All News →