Following our IT Orientation sessions last week we determined that it was a good time to review our information security policy for any required updates and to make sure that staff understand and comply. Ideally, our policy should be comprehensive but not so lengthy and complex that it never gets read, let alone followed. The point of the policy is to give employees clear boundaries within which to operate, not just to satisfy an audit or legal requirement. Easier said than done.
If you do a quick web search you will find a lot of really long sample policies. Clearly something that few end-users have time to read, even though they are supposedly held responsible for adhering to it. The most credible guidance I could find recommended an excellent process but one that would take an entire department months (or longer) to work through. And it still depends on the team’s knowledge of the current security landscape. Few non-profits or small business have those kind of resources. Even if they do, is that the most effective use? In other areas (e.g. electrical codes, food safety), the government or industry organizations define very clear policies that organizations can adopt as their own. They don’t spend time figuring out at what temperature to cook the chicken. But we do in IT.
There should be a simple and freely available IT baseline vetted by security experts that any organization is encouraged (eventually required to) adopt. Of course, no policy can account for every unique environment. So on top of the baseline, the organization’s unique attributes would dictate additional policy considerations. Most of these would be in the form of “if your organization uses X technology then adopt Y policy.” As the policy creator you would simply have to check off the technologies currently in use in your environment.
It appears that ISO and other standards-issuing entities have formed very complex and lengthy recommendations or certification checklists. Here again practicality is being sacrificed for completeness. It’s the age-old security paradox: to make something truly secure you have to make it inaccessible even to those who need to accomplish something with it.
Security policy should be primarily influenced by IT security and user behavior researchers who best know how to balance that equation (usability vs security). These are the folks with the greatest expertise in this field, but their crucial knowledge is not readily available to those who could most impact the security of our technology resources most broadly: IT admins, trainers and end-users.
This is an area in which IT is in desperate need of maturity. Electricians don’t wonder whether insulation should or should not be included on electrical wiring for our homes and offices because the UL (or someone) long ago created a standard that is not even questioned today – and we’re all safer for it.