Security Policy Nirvana: Voluntary Enrollment
January 22, 2008

One of my favorite papers to quote in security talks has nothing at all to do with security: Power, Politics and MIS Implementation. It essentially concludes that executive fiat isn’t effective in getting people to buy into new MIS systems that they find distasteful to use. Forgive the antiquated MIS reference, but we’re talking circa 1983. Back in my IBM 360/370 COBOL days actually.

Today’s security is the MIS of yesterday. To wit, read Employees’ Behavior towards IS Security Policy Compliance whose conclusions are not dissimilar.

In my experience, to achieve voluntary enrollment — which should always be our goal in everything security — security policies must:

  • Cite the business motivation behind the policy umbrella ( e.g. “To remain an extraordinary company, we must continually earn our customers’ trust…”)
  • Adopt the same tone, voice and legibility as your company’s Employee Handbook. Which usually isn’t designed to scare people into compliance, in case you hadn’t noticed.
  • Cite the business rationale, spun positively (e.g. “Like our other software development rigors, secure coding practices are widely recognized as tonic for the reliability of our mission-critical systems…”)
  • Recognize that the business knows it’s not always in its best interest for everyone to follow every policy to the letter, and when that inevitably occurs in a  crisis, what to do about it (e.g. “Use your best judgment, after seeking a second opinion unless that’s impossible, and notify the CISO within 12 hours.”)
  • State to whom to appeal when a formal request for a policy exception is denied. Even if you know that the requester will have to file six forms in triplicate, have a human tell them that, not the policy.
  • If you need legalese-rich preambles (e.g. “This policy changes from time to time, sometimes without prior notice…”) — which I do advise with your Legal department’s oversight — make its text collapsible with those nifty [+] widgets, so readers can get right to the point without having to scroll beneath the fold.

Finally, never stop asking people at all levels how good a job you did at delivering it. If you haven’t sold them in principle, you’re nowhere near done.

Share and Enjoy:
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon
By Larry J. Hughes, Jr. • Articles • •

3 Responses to “Security Policy Nirvana: Voluntary Enrollment”

  1. Steve Suther Says:
    February 18th, 2008 at 11:06 am

    Congratulations Larry! It’s always great to see someone take what can be overbearing information security policies and make them readable and meaningful to the businesses they are meant to protect and serve. Way too many times I’ve worked in organizations where these policies are buried in unsearchable databases, shared drives, or MS Word documents somewhere on an Intranet. Once found, they’re intermingled with architectural standards or operational procedures. Give your end users a hierarchy of policies based on business relevance, filter or collapse sections that don’t apply to them, and make the policies easy to get to and understand. Training at their own time and own pace with a bit of comprehension testing will really get people thinking about what’s the right thing to do, and to your point, they may very well voluntarily go seeking the information they need to make those decisions in the future.

  2. Peter Novosel Says:
    February 22nd, 2008 at 1:46 pm

    Larry makes great suggestions, and I absolutely agree that you have to create not just a “good security policy” from a legal perspective, to be effective you need to create policy that is coherent, easily-understood, consistent and accessible. Unfortunately for most organizations that combination is a very tall order.

    Doing this effecitvely means having a centralized management solution that will enable your company leadership to first understand what they are trying to accomplish via the policy, and then create and manage policy updates. Without a method to do this and publish the resulting end product - and do so on a going-forward basis as policies are updated and added - you will invariably end up with inconsistencies, disjointed rules, and confusion that result in end-user non-compliance.

    Every organization will need their own exception management process as well, as security policy exemptions or exclusions happen in every environment. To coordinate this with existing policies I feel that it is essential to have an integrated software system that helps you gain control of the entire process, as well as visibility to your existing policy - and compliance - situation.

    By unifying these processes and data it becomes possible to link policies to actual business requirements and situations, to unify tone and language, and to control the exemptions to established policy. This not only makes the policy manager’s life easier, it helps reduce risk to the business as well.

    Peter Novosel
    VP Products
    Archer Technologies

  3. Sarah Kahler Says:
    March 10th, 2008 at 3:39 pm

    A good policy management program will include not only policies, but also control standards that define rules for complying with a policy. By mapping the control standards to authoritative sources such as regulatory requirements and industry standards, employees have a better understanding of the rules for achieving and maintaining compliance. Also ensuring that the right vehicle is used to communicate policies will help with compliance management.

Leave a Reply


 Sidebar
  • Pages
  •  
    January 2008
    M T W T F S S
    « Dec   Feb »
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |