Comments on: Security Policy Nirvana: Voluntary Enrollment

By: Sarah Kahler

Sarah Kahler — Mon, 10 Mar 2008 22:39:55 +0000

A good policy management program will include not only policies, but also control standards that define rules for complying with a policy. By mapping the control standards to authoritative sources such as regulatory requirements and industry standards, employees have a better understanding of the rules for achieving and maintaining compliance. Also ensuring that the right vehicle is used to communicate policies will help with compliance management.

By: Peter Novosel

Peter Novosel — Fri, 22 Feb 2008 20:46:38 +0000

Larry makes great suggestions, and I absolutely agree that you have to create not just a “good security policy” from a legal perspective, to be effective you need to create policy that is coherent, easily-understood, consistent and accessible. Unfortunately for most organizations that combination is a very tall order.

Doing this effecitvely means having a centralized management solution that will enable your company leadership to first understand what they are trying to accomplish via the policy, and then create and manage policy updates. Without a method to do this and publish the resulting end product - and do so on a going-forward basis as policies are updated and added - you will invariably end up with inconsistencies, disjointed rules, and confusion that result in end-user non-compliance.

Every organization will need their own exception management process as well, as security policy exemptions or exclusions happen in every environment. To coordinate this with existing policies I feel that it is essential to have an integrated software system that helps you gain control of the entire process, as well as visibility to your existing policy - and compliance - situation.

By unifying these processes and data it becomes possible to link policies to actual business requirements and situations, to unify tone and language, and to control the exemptions to established policy. This not only makes the policy manager’s life easier, it helps reduce risk to the business as well.

Peter Novosel
VP Products
Archer Technologies

By: Steve Suther

Steve Suther — Mon, 18 Feb 2008 18:06:16 +0000

Congratulations Larry! It’s always great to see someone take what can be overbearing information security policies and make them readable and meaningful to the businesses they are meant to protect and serve. Way too many times I’ve worked in organizations where these policies are buried in unsearchable databases, shared drives, or MS Word documents somewhere on an Intranet. Once found, they’re intermingled with architectural standards or operational procedures. Give your end users a hierarchy of policies based on business relevance, filter or collapse sections that don’t apply to them, and make the policies easy to get to and understand. Training at their own time and own pace with a bit of comprehension testing will really get people thinking about what’s the right thing to do, and to your point, they may very well voluntarily go seeking the information they need to make those decisions in the future.