Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Enforcing a Security Policy

It's easy enough to write a security policy, but the devil's in the details when you start talking about enforcement.

By

November 01, 2003CSO — Don't know about where you work, but in most places policy is a four-letter word. Management, especially, tends to bristle at the notion. "That's not the way we do things around here," they'll say. Or, "We don't need a policy. We've got bright people who will automatically want to do the right thing." Or how about, "I hired you to influence and to lead. If you have to rely on a piece of paper to get things done, maybe I've hired the wrong guy."

Nevertheless, I'm someone who's bullish on security policy for, I think, all the right reasons. Because, for one, it frames our work as CSOs. And because it also provides a hook to the resources we CSOs require. I've worked long and hard over the years to develop a solid security policy at my organization, and I've had some luck getting senior management buy-in.

I even gave a presentation on security policy at a security conference a year or so ago. As I prepared my pitch, I couldn't help but wonder what the sponsors were hoping for. I mean, it was about boring, bureaucratic B.S. (and that's not a college degree, by the way).

Well, as it turned out, it topped the hit parade in the participant evaluations, and I still get requests for copies of the presentation today. I'm quite sure that it wasn't my phenomenal charisma that made such an impression, so I've circled back more than a few times to learn why people care about policy.

One CSO in particular was interested in learning how I had approached the enforcement part of policy. And as I started to dig in to what I thought was familiar land, I hit a rock. While it's easy to spout off about the way things ought to work, it's another thing altogether to try to tell someone how to enforce the rules. Policy policing, it turns out, is not as easy as it sounds.

Many chief information officers and others at the top pay only lip service to supporting infosec policies. Nimdaand a few other wake-up callshas changed that for some because multiple-attack vectors whacked enough critical business processes to bring new meaning to the concept of "intense displeasure" to business managers.

"Hmmm," says the CEO, finally. "If we have a policy on this, maybe we need to be more forceful in enforcing it."

Eureka. History LessonMy dictionary defines policy as "a plan or course of action as of a government, political party or business designed to influence and determine decisions, actions and other matters." Now, believe me, I'm all about influence. But determining decisions and actions? That's another matter. In fact, it's one hell of a stretch.

RESOURCE CENTER