I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else.
One of the first things that many new infosec managers do is start on a policy rewrite. While this is sometimes a political gesture, meant to establish the authority of a new manager, it is more often done because the existing policy is either obsolete, or poorly written.
Bad policies are counterproductive in multiple ways. It is usually impractical to follow a poorly written policy, which sends the message to the organization that policies are merely a bureaucratic exercise that can be ignored. In some cases, policies are based on a flawed analysis of risk, requiring employees to unnecessarily restrict their activities in ways that are bad for business. This reduces efficiency, and results in a cynical attitude towards the entire security program.
Policy is often a necessary evil, putting a virtual stake in the ground of employee behavior. ‘Good’ policy doesn’t guarantee that you will meet your security goals–not by any means. However, ‘bad’ policy will almost certainly lead to a disappointing security (or any other) program.
Make you policy documents something that your successors will want to keep.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.