Elements of security policy style, Part 3

In this short series of articles, I am updating materials I wrote for Chapter 28 (“Security Policy Guidelines”) of _The Computer Security Handbook, 4th Edition_ . This third column continues with recommendations on the medium for presenting security policies.

What options do policy makers have for publishing their policies? You can print them on paper or publish them electronically.

Printed text

Policies are not inherently interesting. Large volumes full of policies quickly become shelfware. On the other hand, short paper documents are familiar to people; they can be carried around or placed at hand for easy reference anywhere. Reference cards, summary sheets, stickers, and posters are some of the printed media that can be useful in security awareness, training, and education programs. Printed text, like its electronic versions, provides the opportunity for typeface and color to be used in clarifying and emphasizing specific ideas. However, printed copies of policies share a universal disadvantage: they are difficult to update.

Updating dozens, hundreds, or thousands of individual copies of policy documents can be such a headache that organizations simply reprint the entire document rather than struggle with updates. Updates on individual sheets require the cooperation of every user to insert the new sheets and remove the old ones; experience teaches that many people simply defer such a task, sometimes indefinitely, and that others have an apparently limited understanding of the sequential nature of page numbers. Badly updated policy guides may be worse than none at all, especially from a legal standpoint. If an employee violates a new policy but available manuals fail to reflect that new policy, it may be difficult to justify dismissal for wrongdoing.

Electronic one-dimensional text

Despite the familiarity and ubiquity of paper, in today’s world of near-universal access to computers in the work environment there is a place for electronic documentation of policies.

Such publication has enormous advantages from an administrative standpoint: All access to the policies can be controlled centrally, at least in theory. Making the current version of the policies (and subsets of the policies) available for reference on a server obviates the problem of updating countless independent copies. However, it is true that employees determined to defy authority can make their own copies of such files on most systems, leading to the electronic parallel to the normal situation when using paper: chaotic differences among copies of different age.

One solution to this problem of enforcing a single version is to send every user a copy of the appropriate documents by e-mail with a request to replace their copies of lower version number. Although this solution is not perfect, it does help to keep most people up to date. A more active approach, using a centralized computer, would scan all systems whenever they are connected to the corporate network, and actively delete and replace outdated policies by the correct current versions.