I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again.
Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” How can that possibly be productive in improving morale or reducing the propensity to engage in inappropriate behavior? If the institution wants employees to follow a certain line of action, then they must support them in making effective decisions. If the corporate counsel’s office doesn’t know what the law requires, then it makes no sense to demand that employees follow the law.
A second form of counterproductive policy is typified by words such as ‘may’, and ‘as required’. “…shall take the necessary actions.” is a thinly veiled way of saying “We know we are missing something important, so we reserve carte blanche to interefere with your life in the future.”
Recognize that there are an infinite number of bad things that could occur, and that policy can do very little about it. Concentrate instead on practical and specific requirements and clear lines of responsibility.
Treat policy as a communications mechanism to improve employee willingness and ability to protect the enterprise. Do not use policy as a way to dump your risk on somebody else’s lap.
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.