• United States



Making security policies more secure

Feb 14, 20073 mins
Data and Information SecurityIT LeadershipPhysical Security

Following up on my last entry, I have a few more thoughts about security policies.  My focus is not about content, but about approach and process.  What I have found is that most businesses do a reasonable job in developing the content used in their security policies.  The fall down comes in the implementation. 

As I discussed last time, the primary problem with most security policies is that they are so long and frequently convoluted that the average employee won’t take the time to read them or, worse yet, even if they invest the time, won’t understand the policy.  I have seen security policies of nearly 70 pages, with references to more than a dozen side policies.  That’s not the type of document we can reasonably expect the average employee to understand.  I am not saying that such a policy may not be warranted, given the complexity of some businesses.  What I am saying is that such a security policy is not what you would want to hand out to every employee.  In cases in which the security policy simply cannot be reduced to a relatively few pages, the answer is to create a secondary document that summarizes the most important points in the primary security policy.  It is that secondary policy that would then be circulated to the average employee.

With regard to the policy itself, the focus should be on crafting a document that can easily understood by someone who is not a security professional.  That means defining key terms, avoiding excessive use of acronyms, and including summary paragraphs at the top of important sections.

Once an appropriate, understandable policy is written, the standard approach is to provide employees with a copy and require them to sign an acknowledgement that they have received and read the policy.  While this is helpful from a legal perspective, it is unlikely to ensure the employee actually understood what was written.  This brings us to the topics discussed in my earlier entries:  conducting employee education regarding security is absolutely critical.

Mandatory new hire training, ongoing security awareness training, and exit interviews should be the norm.  Security bulletins should be circulated on a regular basis to highlight new threats and risks (e.g., the use of wireless networks, removable media, and employee camera phones).

A recent survey conducted by InformationWeek/Accenture Global Information Security found that ten percent of companies never conduct training and only eight percent conduct quarterly training.  The survey showed most business conduct training annually or on a completely ad hoc basis.  Something more structured must be done.

Distribution of the policy and training should be followed by enforcement.  This means monitoring employee compliance and, when necessary, taking appropriate action to address infractions.  An initial, minor infraction may only warrant remedial education and a warning.  Substantial or repeated infractions may mean disciplinary action, up to and including termination.  Employees should also understand breaches may subject them to personal civil and criminal liability.  The point is not to threaten employees, but to make it clear infractions will result in very real consequences, including the loss of their job.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author