Tuesday, November 13, 2012

Stuff I Say - You Pay by the Word

   This is a continuation of a series of posts on some of my philosophies about security strategy.  These ideas are covered in a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics.  Slides are on my slideshare page.  The first two posts are here and here.

   In that second post I was talking about policy.  Traditionally many organzations have staff sign a form that says that they have read and understood policy.  Perhaps the organization has some kind of new employee orientation at which policy is reviewed.  Among the problems is that policy is usually too long and too complicated.  It then becomes a TL;DR document (Too Long; Didn't Read).  I'm sure that both policy writers and policy readers/recipients can relate to this.
   So what to do?  I like to say that "you pay by the word", because you can pay now or pay later...

   I like policies to be as "crisp" and concise as possible.  If a policy is too long, people just won't read it.  Some organizations create a single, long "policy".  I recommend separate policies.  That way people can more easily get to the specific information they need in a given situation.  Policies should also be online and well linked to make it easy to find supporting information.  So, if we think in terms of paying by the word when creating the policy, that can help keep the focus on short, crisp policy.

   But if policy is not kept short and understandable, then you will pay by the word in a different sense.  If staff are confused by policy, they may choose to stay with business-as-usual and expect that someone will let them know if they do something wrong.  That does not create a security partnership.  The security professional will pay because users will not follow policy.  Time, money and other resources will need to be spent on violation detection and enforcement.  While these are necesary parts of your program, that's not where you want to spend all your time.
   The employees and staff will pay because they will be on the receiving end of these investigations.  It's just not the best use of anyone's time.

   One last point... policies need to be easy to find.  Keep them online on your intranet pages.  Advertise this in your awareness program.

   What about third-party agreements?  Some organizations specify that contract partners must adhere to the organization's policies.  But how will the third-party get to the policies, view updates, etc.?  I like policies that are created to provide appropriate information, but not give away any proprietary information.  That way, the policies (but not the standards or procedures, and I'll talk about the differences in a future post) can be posted on a public website.  It's too cumbersome to merely give a copy to the third-party... it might not be correctly distributed, and assuring they get updates difficult.  If your policies are posted publicly, then third-party partners always have access to the latest and greatest.

   Ultimately, we want to make it easy to follow policy and do the right thing.  That means making policy easy to find and easy to understand.  And that takes effort.

   Security professionals, how do you make policy easy to find, understand and follow?  What good techniques do you use and what have you found difficult?  For non-security folks... what frustrates you about your organization's policies?

No comments:

Post a Comment