{"id":256,"date":"2016-08-20T14:06:00","date_gmt":"2016-08-20T14:06:00","guid":{"rendered":"https:\/\/securityeverafter.com\/2016\/08\/20\/it-is-our-policy\/"},"modified":"2016-08-20T14:06:00","modified_gmt":"2016-08-20T14:06:00","slug":"it-is-our-policy","status":"publish","type":"post","link":"https:\/\/securityeverafter.com\/it-is-our-policy\/","title":{"rendered":"It Is Our Policy"},"content":{"rendered":"

I recently posted the <\/span>below<\/a> on the <\/span>SANS Internet Storm Center<\/a>.<\/span>

<\/span><\/p>\n

\n
How many times have you heard someone say out loud our “our security policy requires…”? Many times we hear and are sometimes even threatened with “the security policy”. Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons. <\/div>\n
<\/div>\n
I regularly get the question, “How many security policies<\/b> should I have\u201d? My response is often found by raising my hands and wiggling my fingers in the air. There is nothing magic about the number of security policies, my observation is that many times there are more security policies than are actually needed.   <\/div>\n
<\/div>\n
One of the most important aspects of a security policy, just like the jar of mayonnaise in your refrigerator, is an Expiration Date<\/b>. This non technical control can help facilitate regular updates to account for current issues being faced and capabilities that may not have existed when the security policy was originally created. Think of this as a built in process to ensure that it is regularly reviewed – consider a recurring calendar reminder. <\/div>\n
<\/div>\n
Should your employees be expected to memorize all of your security policies and is that even realistic for them? I hope not for their sake. What if you redefine the win by each of your employees knowing where to find the policy when faced with a decision? A Central Location<\/b> for security policies, versus being spread all over your company is best and can serve as the set of guardrails to protect both the employee and the company. This will serve as a key resource for everyone to go to when regular faced with a decision of “is this allowed or not in the security policy\u201d.  <\/div>\n
<\/div>\n
Finally, as you start to develop or even assess the quality of your security policy, there are several Key Stakeholders<\/b>, often outside of the information security team, who can provide valuable feedback specific to their respective areas. <\/div>\n