I’ve noticed the same trend recently with organizational security policies and requests for security products and services. Many government agencies and commercial enterprises are opting to simply copy language from other sources in lieu of developing their own policies. I have seen innumerable instances of incongruous citations or even unrelated federal or state statutes to satisfy the requirements for a security policy. In other cases, these sources are cited as the basis for establishing requirements for products and services these organizations are looking to purchase.
When it comes down to defining your policies and spending large amounts of money for security technology and services, the cut-and-paste method of writing may not be adequate. Only your organizational decision-makers can adequately define their risk tolerance and the value they place on their data resources. If you don’t have the in-house resources or expertise for such an undertaking, it might be best to hire a professional to help you build your security policies. In any case, someone will have to do the writing, and there’s no free lunch.
John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: Cool_as_McCumber@cygnusb2b.com.