« The Problem with Security Process
Good Analysis on Breaches and Customer Loyalty »

The Problem with Policies and Standards

Most people will agree that a written well written, accessible set of polices and standards should be somewhere in the belly of all information security programs. At their very essence they help people understand what to do and how to do it. Despite some peoples pessimism, I believe most people want to do the right thing. This is the SecurityBuddha talking, you wouldn’t expect anything else! Of course policies and standards themselves won’t make companies secure, in the same way gym memberships don’t help you get fit and loose weight. Its the effective and efficient use of them that counts.

From my experience in the “real world”, polices and standards are more often than not;

- “Shelfware” that is inaccessible; usually Microsoft Word documents stuffed on a Windows folder or obscure intranet page but sometimes nicely bound and printed in the CSO’s office or on his coffee table in his waiting area.

- Dismissed by the business at large as largely irrelevant to those outside of information security and often referred to as the “constitution of the thought police”

- Poorly presented and poorly written. If car repair manuals were security policies there would be no hot-rods!

- Inconsistent; 8 char password in one policy, 7 char passwords in another

- Infrequently updated and therefore out-of-date

- Suffer from a lack of precision context

The programs that support them are more often than not;

- “Peaks and troughs” efforts at best and one time shots at worse

- Have no ability to record who read, signed and accepted the policy beyond crude email

- Poor or loose process to bind stakeholders into creation, changes and management

- No process to deal with updates beyond “save as…”

- No ability to automatically request, grant and track exceptions beyond Excel (or the back of a cigarette packet)

Blatant advert – We are offering policy and standards services called “Better Policies and Standards that Work” where we address these issues and more for clients. Of course our Policies and Standards module (part of Security Life) resolves these issues and much much more.

Explore posts in the same categories: Security Industry

This entry was posted on April 24, 2007 at 2:52 pm and is filed under Security Industry. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

One Comment on “The Problem with Policies and Standards”

  1. Karen Lawrence Öqvist Says:

    April 24, 2007 at 4:46 pm

    Hi Mark, I agree totally with this and would like to add a couple of comments…..

    First ‘the road to hell is paved with good intentions’ meaning often a good security policy can be created, but is lacking in execution ability.

    Then ‘in theory everything works, practice is something else’, in that the person creating the security policy has not followed on the execution, hence actual effectiveness.

    Finally, if a good security policy is created with intentions are not only good but precise and application is clear. The biggest pitfall I see even if execution is effective is the longer term sustainability.

    Reply

Comment: