Posted by Anton Aylward
On the ISO27000 Forum list, someone asked:
That's a very ingenious way of looking at it!
One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?
Ingenious aside, I'd be very careful with an approach like this.
Risks and controlsare not, should not, be 1:1.
Posted by Anton Aylward
As I've said before, you should not ask yourself what policies to write but what you need to control. If you begin with a list of polices, you need to adapt the reality to the list. The risk is that you create a false sense of control of security.
The threat-risk approach is 'technical', and as we've discussed many times, the list of threats cannot be fully enumerated, so this is a ridiculous approach.
Basing policy on risk is also a fruitless approach as it means you are not going to face some important points about policy.
Policy is for people. Its not technical, its about social behaviour and expectations.
Policy can be an enabler, but if you think only about risk you will only see the negatives; your policies will all be of the form "Don't do that".
Policies should tell people what they should do, what is expected of them, give them guidance.
Policies also have to address the legal and regulatory landscape. As such they may also address issues of ethics, which again is not going to be addressed by a threat-risk approach.
All in all, if you follow Mark's advice you may write policies that seem OK, but when it comes to following them it will be like the song from the 70s by The Five Man Electric Band:
and people will feel put upon and that the company is playing Big Brother. You will have heavy-handed rules that are resented and not clearly understood by all employees.
Policies are there to control the behaviour of people in the corporate setting. Think in terms of people and behaviour, not in terms of threats and risks.
Policies are to guide and control behaviour of people, not of machines and software.
Think of policies as having these kinds of objectives and you will be on a firm footing:
- Shift attitudes and change perspectives
- Demonstrate management support
- Assure consistency of controls
- Establish a basis for disciplinary action
- Avoid liability for negligence
- Establish a baseline against which to measure performance and improvement
- Coordinate activities
and of course something important to all of us toiling in InfoSec
- Establish a basis for budget and staffing to implement and enforce the policies
Policies need to be created from the point of view of management, not as a set of techie/geek rules, which the threat/risk approach would lead to.
Not least of all because, as I'm sure Donn Parker will point out, managers don't want to hear all that bad stuff about threats; they want policies that encourage staff to contribute to the profitability of the
- How to create an effective social-media policy for your company (smartblogs.com)
- 6 Tips For Great IT Security Policies (itexpertvoice.com)
- Helping Employees Get Corporate Security Policy (pcworld.com)
- Creating an Enterprise Employee Social Media Policy (itexpertvoice.com)
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity
Calendar of Posts