Sarah Clarke and a few others were running a discussion on Twitter trying to hash out if security policies have any value. The discussion was started by a person critically stating that as far as he was concerned, they have no value at all.
As Twitter isn’t a good medium for summarizing the potential values that were identified, Sarah and I challenged each other to both blog about, with both a public awareness/educational purpose, but also to test how closely aligned our thoughts are on the subject. You can read Sarah’s thoughts here.
Note: where I don’t specifically say security policy, it’s because I think the argument applies to policies in general.
1) The foundation for the consistent, reliable and predictable operation of a business
As with modern societies that were all built on a foundation of laws, the same goes for enterprises and running such successfully. You need policies to lay the foundation for consistent, reliable, predictable operation of a business. Without some kind of expense policy, employees can spend money on whatever, and without security policies, things like acceptable use of devices cannot be regulated.
Nothing says compliance like a policy. Auditors, in general, have very little understanding for verbatim accounts of how you do this and that. Policies and extracts are required. ISO 27k even lists a policy as one of the main requirements.
3. Demonstrating adherence to and respect for relevant laws and regulations
Beyond mere compliance, policies are also good for proving adherence not only to the text of a law but also the spirit of the law—in acquiring and keeping a banking license, for example, policies show lawmakers that you mean business.
4. As a disciplinary justification
When you have to let an employee go, and you’re stuck with doing business in countries that either make this a rather difficult matter for legal reasons or because of the strength of unions, you need to be able to demonstrate behavior that is in conflict with policies, as well as policies that allow for disciplinary measures if not followed.
5. As an awareness and educational tool for top management
As a consultant, you’re brought in because there’s a perceived need to analyze and usually fix something. Arguing, explaining and discussing with top management is easy, but they also need a concrete output from your efforts. So, instead of delivering a report with finger pointing, I usually prefer to deliver a few policies of “how things should be” augmented by an “action plan/improvement plan/roadmap” that leads towards the policy-dictated better place.
Approving the actual content of policy with the top management of a company gives a lot of opportunities to discuss details and create awareness around important issues.
6. To bring an out of control IT department/employee back in line
You may have met this guy – Mr. Recalcitrant Knowitall, who thinks everything you’re trying to do is wrong and wants to keep sitting on his hoard of hoarded knowledge that makes him indispensable for all the wrong reasons. Sometimes a well-written reasonable policy, clearly backed by management can turn this guy around. I’ve seen it happen.
7. To raise the bar of knowledge
A well-written policy can raise the bar of the lowest common denominator for the level of knowledge in a security or IT department. To the extent that colleagues will follow them, telling them to do this in that way and that in this way will help a lot, even if they at the time don’t know why.
Tell them that this is the way, explain why and let them challenge. Sometimes discussion beats learning by doing and failing. This is the first item out of seven so far that actually impacts the level of security for your company. Scary.
8. To drive funding
Nothing beats using compliance to drive funding (ironically, since compliance is stupid mostly), but using an actual gap between an agreed policy and reality is actually a good justification for spending increases. Or, depending on managements mood, policy changes.
9. A good security policy prevents breaches
Nah. Not really. Kidding.
10. Management commitment
A policy using the words of your management, that’s been hashed out and agreed between these and you, is a great tool for actually getting management committed to security. Every time you pull it out, they’ll like the words and phrases used, and thus be favorable to whatever you’re doing. Except Monday morning. And Friday afternoon. And except if it hurts the business. Or if it’s annoying.
The conclusion seems obvious, right? There are plenty of good reasons to have security policies, but very few reasons to expect them to directly influence your defensive posture. To achieve that, define a security strategy and work from there, building your pyramid bottom up just like the Egyptians. Focus on the basics first.
About the Author: Claus Cramon Houmann currently runs an IT Consulting company plus works as Head of IT for a bank in Luxembourg. Claus previously worked in the IT outsourcing industry for many years. He actively supports initiatives that aim to improve security for us all, most notably the iamtheCavalry movement and The Analogies project, which he hopes to help spread to Europe/Globally. Claus is an active blogger, blogging for Information Security Buzz and Peerlyst.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.