I recently posted the below on the SANS Internet Storm Center.
How many times have you heard someone say out loud our “our security policy requires…”? Many times we hear and are sometimes even threatened with “the security policy”. Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons.
I regularly get the question, “How many security policies should I have”? My response is often found by raising my hands and wiggling my fingers in the air. There is nothing magic about the number of security policies, my observation is that many times there are more security policies than are actually needed.
One of the most important aspects of a security policy, just like the jar of mayonnaise in your refrigerator, is an Expiration Date. This non technical control can help facilitate regular updates to account for current issues being faced and capabilities that may not have existed when the security policy was originally created. Think of this as a built in process to ensure that it is regularly reviewed – consider a recurring calendar reminder.
Should your employees be expected to memorize all of your security policies and is that even realistic for them? I hope not for their sake. What if you redefine the win by each of your employees knowing where to find the policy when faced with a decision? A Central Location for security policies, versus being spread all over your company is best and can serve as the set of guardrails to protect both the employee and the company. This will serve as a key resource for everyone to go to when regular faced with a decision of “is this allowed or not in the security policy”.
Finally, as you start to develop or even assess the quality of your security policy, there are several Key Stakeholders, often outside of the information security team, who can provide valuable feedback specific to their respective areas.
- Human Resources – Because many times employee behavior is involved in an incident
- Legal – Because many times employee behavior is involved in an incident
- Privacy – Because sometimes personally identifiable information is involved in an incident
- Information Security – Because threats against company systems and data are involved in an incident
- Physical Security – Because sometimes an employee needs to be encouraged to leave as a part of an incident
Take a look at the SANS policy website and look for any any topics that may be missing in your organization.
All that said, what two things can you do next week to improve your security policies? Let us know in the comments area!