Jay HeiserI spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else.
One of the first things that many new infosec managers do is start on a policy rewrite. While this is sometimes a political gesture, meant to establish the authority of a new manager, it is more often done because the existing policy is either obsolete, or poorly written.
Bad policies are counterproductive in multiple ways. It is usually impractical to follow a poorly written policy, which sends the message to the organization that policies are merely a bureaucratic exercise that can be ignored. In some cases, policies are based on a flawed analysis of risk, requiring employees to unnecessarily restrict their activities in ways that are bad for business. This reduces efficiency, and results in a cynical attitude towards the entire security program.
Policy is often a necessary evil, putting a virtual stake in the ground of employee behavior. ‘Good’ policy doesn’t guarantee that you will meet your security goals–not by any means. However, ‘bad’ policy will almost certainly lead to a disappointing security (or any other) program.
Make you policy documents something that your successors will want to keep.
Category: IT Governance risk management security Tags: policy, risk management, security, security program management
1 response so far ↓
1 Tweets that mention Will your successors throw away your policy? -- Topsy.com January 24, 2011 at 12:01 pm
[...] This post was mentioned on Twitter by UK Technology News, Bromley Stone. Bromley Stone said: Will your successors throw away your policy?: I spend a lot of my time doing policy reviews. Sometimes the revie… http://bit.ly/ftLGOi [...]