Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

The Seven Deadly Sins of Security Policy

Are your security policies really managing your organization's risks? Or are they just 'check-the-box' rules? We detail common policy mistakes security pros often make

By , Senior Editor

October 06, 2009CSO

In today's compliance-centric world, your organization may have so many security policies that you've lost track. But how effective are your policies at really mitigating the risks you face? And are there some that you might have put in place simply to follow the law but that just aren't being enforced? According to the policy experts we interviewed, those are just two of the several common mistakes an organization can make when putting policies on the books.

Here, we detail seven regularly-seen sins witnessed by two security consultants in the field. Read on to find out which ones you might be committing, and how to make things right if you are.

For more policy guidance, check out CSO's library of security tools, templates and policies


security policy: first deadly sin

Failing to do a risk assessment before crafting a policy

The first question any organization should ask before writing any policy is "Why do we need this policy and what are we trying to achieve with it?" It sounds obvious, but it is a crucial step many overlook, according to Charles Cresson Wood, an independent information security consultant based in California and the author of several information security books.

"I'm working with one client now who is compelled by laws and regulations to issue policies and awareness materials, but they haven't done a risk assessment in three years," said Cresson Wood. "They don't really know what they are up against. So these policies can't help but miss the mark. Yes, they will be in compliance with the letter of the law, but certainly not the spirit."

Wood is trying to bring a more holistic and integrated view to information security and policy crafting to his clients so they will implement policies that work, he said. Too much policy work is driven by compliance, he said. (Read: The Dangers of Over Reliance on Compliance)In fact, he doesn't even like the word 'compliance.'

"It implies users are compromising themselves or being dominated by someone. We need to get groups of people on board with what we are trying to do with these policies. I prefer term 'unity of purpose.'"

That said, the first step before you even think about putting anything down in writing is to do a comprehensive risk assessment so you know exactly what you need in your organization.

security policy: second deadly sin

Having a 'one-size-fits-all' mentality

"This may sound strange coming from me," said Cresson Wood, who actually authored a book with templates for organizations to use when developing policies. "But those are just a starting point."

RESOURCE CENTER