Skip Links

The Seven Deadly Sins of Security Policy

By Joan Goodchild, CSO
October 07, 2009 11:52 AM ET

CSO - In today's compliance-centric world, your organization may have so many security policies that you've lost track. But how effective are your policies at really mitigating the risks you face? And are there some that you might have put in place simply to follow the law but that just aren't being enforced? According to the policy experts we interviewed, those are just two of the several common mistakes an organization can make when putting policies on the books.

Here, we detail seven regularly-seen sins witnessed by two security consultants in the field. Read on to find out which ones you might be committing, and how to make things right if you are.

For more policy guidance, check out CSO's library of security tools, templates and policies

1. Failing to do a risk assessment before crafting a policy

The first question any organization should ask before writing any policy is "Why do we need this policy and what are we trying to achieve with it?" It sounds obvious, but it is a crucial step many overlook, according to Charles Cresson Wood, an independent information security consultant based in California and the author of several information security books.

"I'm working with one client now who is compelled by laws and regulations to issue policies and awareness materials, but they haven't done a risk assessment in three years," said Cresson Wood. "They don't really know what they are up against. So these policies can't help but miss the mark. Yes, they will be in compliance with the letter of the law, but certainly not the spirit."

Wood is trying to bring a more holistic and integrated view to information security and policy crafting to his clients so they will implement policies that work, he said. Too much policy work is driven by compliance, he said. (Read: The Dangers of Over Reliance on Compliance) In fact, he doesn't even like the word 'compliance.'

"It implies users are compromising themselves or being dominated by someone. We need to get groups of people on board with what we are trying to do with these policies. I prefer term 'unity of purpose.'"

That said, the first step before you even think about putting anything down in writing is to do a comprehensive risk assessment so you know exactly what you need in your organization.

2. Having a 'one-size-fits-all' mentality

"This may sound strange coming from me," said Cresson Wood, who actually authored a book with templates for organizations to use when developing policies. "But those are just a starting point."

Many organizations are simply using examples in books or borrowing from other organizations, he said.

"Especially in this economy," said Cresson Wood. "People are pressed for time and money. They are just reprinting what they find elsewhere."

Cresson Wood even worked with one company that had a policy which still had another organization's name in the text of the document.

"I brought this to management's attention and they said "I guess we didn't do a very good job editing."

But writing a security policy that is going to work for you means more than just editing. While you might use a template or borrow from another organization's example, after your risk assessment, it is important to customize your policy for what YOUR organization needs. That means taking the time to carefully write a policy that fits your unique security profile.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News