Policies are important tools that allow businesses to dictate standard operating assumptions across their workforce. Externally, they help the flow of information between the organization, vendors, and clients. Internally, policies frame who has clearance to access different classes of data and acceptable use of company resources, all the way through how managers interact with their direct reports and how people get into the building. And while some of these policies are nonnegotiable (say, policies dealing with federally mandated Equal Opportunity laws, for example), your security policy is completely under your control.
Writing for Security Intelligence, consultant Kevin Beaver suggests that at the end of the day, an organization’s security policies might be what’s getting in the way of good security. Beaver notes that when developing a policy, security leaders place too much emphasis on the paperwork, covering how you deal with data backups, employee devices (BYOD), passwords, and company-owned mobile devices, to name a few.
In addition to “creating an undue burden” on information and security personnel, Beaver asserts that having highly detailed security policies is also problematic, as they create “a false sense of security” and make it appear “that security is being properly addressed even when little to no controls exist.”
The problem stems from how security policy gets created. According to Beaver, security policies are often drafted by legal and compliance personnel without anyone involved in the nuts-and-bolts security work actually being consulted. Often, the policies are “thrown together at the last minute to look good for an upcoming audit, to meet customer or business partner requirements, or to land big business deals.”
Security Policies Should Dovetail with Security Practices
To make a security policy work, it needs to reflect the needs of those implementing and enforcing the policy. This means that you shouldn’t put the cart before the horse and work to develop a full understanding of your organization’s risk profile. At a minimum, this would include a review of known security gaps.
To get an accurate picture, however, Beaver suggests hiring someone to conduct comprehensive vulnerability and penetration testing. With that level of detail in place, you can see all your organization’s existing vulnerabilities and how they are connected. From there, policy can serve as an adjunct to training and other security solutions to address your security needs as they are.