How many times have you heard someone say out loud our our security policy requires...?Many times we hear and are sometimes even threatened with the security policy. Security policy should set behavioral expectations and be the basis for every technical, administrative and physical control that is implemented. Unfortunately, solid security policies are often elusive for several key reasons.
I regularly get the question, How many security policiesshould I have? My response is often found by raising my hands and wiggling my fingers in the air. There is nothing magic about the number of security policies, my observation is that many times there are more security policies than are actually needed.
One of the most important aspects of a security policy, just like the jar ofmayonnaise in your refrigerator, is anExpiration Date. This non technical control can help facilitate regular updates to account for current issues being faced and capabilities that may not have existed when the security policy was originally created. Think of this as a built in process to ensure that it is regularly reviewed-considera recurring calendar reminder.
Should your employees be expected to memorize all of your security policies and is that even realistic for them? I hope not for their sake. What if you redefine the win by each of your employees knowingwhere to find the policywhen faced with a decision?ACentral Locationfor security policies, versus being spread all over your companyis best and can serve as theset of guardrails to protect both the employee and the company. This will serve as a key resource for everyone to go to when regular faced with a decision of is this allowed or not in the security policy.
Finally, as you start to develop or even assess the quality of your security policy, there are several">
  • Human Resources - Because many times employee behavior is involved in an incident
  • Legal - Because many times employee behavior is involved in an incident
  • Privacy - Because sometimes personally identifiable information is involved in an incident
  • Information Security - Because threats against company systems and data are involved in an incident
  • Physical Security - Because sometimes an employee needs to be encouraged to leave as a part of an incident
  • ">
    Take a look at theSANS policy websiteand look for anyany topics that may be missing in your organization.
    All that said, what two things can you do next week to improve your security policies? Let us know in the comments area!
    ) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
    Internet Storm Center Infocon Status