Making security policies more secure

Following up on my last entry, I have a few more thoughts about security policies.  My focus is not about content, but about approach and process.  What I have found is that most businesses do a reasonable job in developing the content used in their security policies.  The fall down comes in the implementation. 

As I discussed last time, the primary problem with most security policies is that they are so long and frequently convoluted that the average employee won’t take the time to read them or, worse yet, even if they invest the time, won’t understand the policy.  I have seen security policies of nearly 70 pages, with references to more than a dozen side policies.  That’s not the type of document we can reasonably expect the average employee to understand.  I am not saying that such a policy may not be warranted, given the complexity of some businesses.  What I am saying is that such a security policy is not what you would want to hand out to every employee.  In cases in which the security policy simply cannot be reduced to a relatively few pages, the answer is to create a secondary document that summarizes the most important points in the primary security policy.  It is that secondary policy that would then be circulated to the average employee.

With regard to the policy itself, the focus should be on crafting a document that can easily understood by someone who is not a security professional.  That means defining key terms, avoiding excessive use of acronyms, and including summary paragraphs at the top of important sections.

Once an appropriate, understandable policy is written, the standard approach is to provide employees with a copy and require them to sign an acknowledgement that they have received and read the policy.  While this is helpful from a legal perspective, it is unlikely to ensure the employee actually understood what was written.  This brings us to the topics discussed in my earlier entries:  conducting employee education regarding security is absolutely critical.

Mandatory new hire training, ongoing security awareness training, and exit interviews should be the norm.  Security bulletins should be circulated on a regular basis to highlight new threats and risks (e.g., the use of wireless networks, removable media, and employee camera phones).

A recent survey conducted by InformationWeek/Accenture Global Information Security found that ten percent of companies never conduct training and only eight percent conduct quarterly training.  The survey showed most business conduct training annually or on a completely ad hoc basis.  Something more structured must be done.

Distribution of the policy and training should be followed by enforcement.  This means monitoring employee compliance and, when necessary, taking appropriate action to address infractions.  An initial, minor infraction may only warrant remedial education and a warning.  Substantial or repeated infractions may mean disciplinary action, up to and including termination.  Employees should also understand breaches may subject them to personal civil and criminal liability.  The point is not to threaten employees, but to make it clear infractions will result in very real consequences, including the loss of their job.