Security policies are so last year. They are boring and unsexy and merely exist to please the auditors and regulators. Everyone knows that once you have them in place, you really don’t need to spend any effort managing and enforcing them. Okay, I’m exaggerating the point, but this is the exact vibe I get from so many IT/security managers, compliance officers and business executives when discussing security policies. They are seemingly as much a nuisance as they are a necessity. But people will often download existing policies off the Web and muscle through the motions, leaving it at that — and the business is really no better off than it was before. In fact, this very scenario often creates a false sense of security and compliance which really makes the problem worse.
Rather than stirring around at the back of the herd and hoping you don’t get bitten, you can do something about it. There are several things to keep in mind before, during and after you develop your security policies that will take the pain out of policies once and for all.
First of all, you have to know where your business is at risk. Documenting random security policies that may or may not apply to your business is usually a waste of time — that is, unless doing the bare minimum to meet some compliance requirement or to please an auditor is your goal. Instead, analyze who and what the policies really apply to. Think about how the policies you’re documenting affect your business now and down the road. Perform an in-depth assessment looking at the technical and operational sides of security and you’ll find the specific areas for which you need to create policies.
You also have to understand that there’s more to policies than passwords and acceptable usage. The most common policies I see govern passwords and computer/Internet usage. Practically every organization has some employee handbook verbiage dedicated to these topics. But information security is so much more than that. You can’t afford to overlook things like remote access, patch management and application security. Doing so only sets everyone up for failure.
Another thing that often gets in the way of reasonable security policies is the lack of a formal structure for policy documents. It’s common to see randomly structured security policies — one policy document may have a few sentences; a second may be 10 or more pages of random content; while a third may be scattered with multiple policy statements. These are not only hard to read, but they make it difficult for IT staff, management, auditors and consultants to use them for future reference.
For the love of risk management, don’t confuse policies with procedures and plans. Security policies are statements of “this is how we do things here” and procedures and plans outline how each policy will be carried out, enforced and otherwise managed. Unfortunately, these are often intermingled — creating confusion and unnecessary complexity. Above all else, you can’t view policies as “someone else’s issue.” I see time and time again situations where a network administrator says that management is working on policies, or a CSO assumes the information security analyst is handling them, and so on. There’s no real responsibility and accountability. Security policies aren’t just a corporate security issue, nor are they an IT-only issue. Oversight by a compliance manager is not enough either — the reality is that security policies should be developed, managed and enforced at a security committee level, period.
Security policies aren’t going to magically make your business “secure” or “compliant.” That said, organizations that have documented security policies and have taken the time to get everyone on the same page have a much better grasp of information security. I know if I see good policies, then odds are I’m going to find fewer technical and operational risks in my assessment projects. I also know that I’m going to be able to speak with people in IT, HR, legal and management, and everyone’s pretty much going to be on the same page. Like a good set of goals, they work and live by their security policies rather than just documenting and forgetting about them. It’s consistent and predictable regardless of the size of the business or the industry in which they operate.