{"id":228,"date":"2015-08-02T00:33:00","date_gmt":"2015-08-02T00:33:00","guid":{"rendered":"https:\/\/belayclientstaging.zone\/securityeverafter\/2015\/08\/02\/your-security-policy-is-so-lame\/"},"modified":"2015-08-02T00:33:00","modified_gmt":"2015-08-02T00:33:00","slug":"your-security-policy-is-so-lame","status":"publish","type":"post","link":"https:\/\/securityeverafter.com\/your-security-policy-is-so-lame\/","title":{"rendered":"Your Security Policy Is So Lame"},"content":{"rendered":"

I recently posted the below<\/a> on the SANS Internet Storm Center<\/a>.<\/p>\n

<\/p>\n

Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well. <\/div>\n
<\/div>\n
I personally avoided being the \u201cpolicy guy\u201d until the patience of my management had finally expired. It was truly the job that none on the team wanted and it was my turn. My first step was pulling a security policy template book off the shelf. I remember that dust covered book very well. When working on the security policies, unexpectedly and out of no where it suddenly occurred to me – there is a great amount of influence when security policies are done properly. Sure, there are meetings with people who are not on your team, but working together is how anything meaningful gets done these days. I found that by working together with key business areas that security policies could be written so that more than just the auditor was interested in them. <\/div>\n
<\/div>\n
\n
The following are several tips and tricks you can use to make sure you move from “no good to great\u201d security policies.  <\/div>\n<\/div>\n
<\/div>\n