Make your policy generic, not specific

Some of us security types were discussion policy, login notices and the like.

Someone commetned on a badly written poicy about the use of corporate e-mail and discussion about the company.

… I recently worked at a place that had an weak and over specific email policy.
One day management realizes there are other areas where “contraband communication” can take place – internet groups, blogs, forums, IM, Blackberries, etc. If the policy hadn’t been wrtten to deal specifically with “email” or been more general about the level of technology it would have saved us some hassle.
As it was, our policy development and approval process was too sllw and ciumbersome.

This is a generic issue and not limited to e-mail, IM, etc.

Long ago in a policy development workshop that I was running we thrashed out how to express ACCESS CONTROL so that it was perfectly generic, applied to
everything from the parking lot to the executive washroom, was in language everyone from the Board of Directors to the Janitor could understand. Of
course it applied to computer/network access, and its wording marched the requirement of the ‘restricted access’ logon notices.

I’ve been told the lawyers didn’t like it but the reasons seemed to boil down to the fact that the language was so straight forward and unambiguous that there wouldn’t be enough billable hours if it came to a court case.

If you structure your policy management properly so there is a succinct POLICY STATEMENT and ancillary sections that address

  • Justification
  • Consequences of Non compliance
  • Roles and Responsibilities
  • Who/When/Where/Why Does this Apply?
  • Guidelines for Interpretation
  • Relevant Standards (Internal and External)

and of course

  • Procedures

then its a very effective and efficient way to work.
This is because

a) You don’t need a lot policies if they are “general”
b) It makes them easy to learn and remember
c) You don’t have to keep going back to the board to get picayune changes approved

Yes, it off-loads a lot of the work to the “Guidelines” and the “Procedures”, but those are going to be very situation specific anyway. If you can get the top level policies done its easy to delegate the details.
And with a web based system, hyperlinks and search engine the “how does this apply to me” and “what applies to me” is straight forward so long as you have a clear idea of roles.

If you don’t, well, there are probably more fundamental questions to askabout your organization such as ‘what the heck is everyone doing?”

Reblog this post [with Zemanta]

About the author

Security Evangelist