The InfoSec Blog

Make your policy generic, not specific

Posted by Anton Aylward

Some of us security types were discussion policy, login notices and the like.

Someone commetned on a badly written poicy about the use of corporate e-mail and discussion about the company.

... I recently worked at a place that had an weak and over specific email policy.
One day management realizes there are other areas where "contraband communication" can take place - internet groups, blogs, forums, IM, Blackberries, etc. If the policy hadn't been wrtten to deal specifically with "email" or been more general about the level of technology it would have saved us some hassle.
As it was, our policy development and approval process was too sllw and ciumbersome.

This is a generic issue and not limited to e-mail, IM, etc.

Long ago in a policy development workshop that I was running we thrashed out how to express ACCESS CONTROL so that it was perfectly generic, applied to
everything from the parking lot to the executive washroom, was in language everyone from the Board of Directors to the Janitor could understand. Of
course it applied to computer/network access, and its wording marched the requirement of the 'restricted access' logon notices.

I've been told the lawyers didn't like it but the reasons seemed to boil down to the fact that the language was so straight forward and unambiguous that there wouldn't be enough billable hours if it came to a court case.

If you structure your policy management properly so there is a succinct POLICY STATEMENT and ancillary sections that address

  • Justification
  • Consequences of Non compliance
  • Roles and Responsibilities
  • Who/When/Where/Why Does this Apply?
  • Guidelines for Interpretation
  • Relevant Standards (Internal and External)

and of course

  • Procedures

then its a very effective and efficient way to work.
This is because

a) You don't need a lot policies if they are "general"
b) It makes them easy to learn and remember
c) You don't have to keep going back to the board to get picayune changes approved