Security Policy Oversights and Mistakes We Keep Making

Document Sample
Security Policy Oversights and Mistakes We Keep Making Powered By Docstoc
					Get With IT


         Security Policy
                                                                                                  each policy will be carried out, enforced and
                                                                                                  otherwise managed. Unfortunately, these are
                                                                                                  often intermingled — creating confusion
                                                                                                  and unnecessary complexity. Above all else,


Oversights and Mistakes                                                                           you can’t view policies as “someone else’s
                                                                                                  issue.” I see time and time again situations
                                                                                                  where a network administrator says that
                                                                                                  management is working on policies, or a CSO

       We Keep Making                                                                             assumes the information security analyst is
                                                                                                  handling them, and so on. There’s no real
                                                                                                  responsibility and accountability. Security
                                                                                                  policies aren’t just a corporate security issue,
                                                      By Kevin Beaver, CISSP                      nor are they an IT-only issue. Oversight by
                                                                                                  a compliance manager is not enough either




S
           ecurity policies are so last year. They                                                — the reality is that security policies should
           are boring and unsexy and merely exist                                                 be developed, managed and enforced at a
           to please the auditors and regulators.                                                 security committee level, period.
           Everyone knows that once you have                                                         Security policies aren’t going to magically
           them in place, you really don’t need to                                                make your business “secure” or “compliant.”
spend any effort managing and enforcing them.                                                     That said, organizations that have document-
Okay, I’m exaggerating the point, but this is the                                                 ed security policies and have taken the time
exact vibe I get from so many IT/security manag-                                                  to get everyone on the same page have a
ers, compliance officers and business executives                                                  much better grasp of information security.
when discussing security policies. They are seem-                                                 I know if I see good policies, then odds are
ingly as much a nuisance as they are a necessity.                                                 I’m going to find fewer technical and opera-
But people will often download existing policies off                                              tional risks in my assessment projects. I also
the Web and muscle through the motions, leaving                                                   know that I’m going to be able to speak with
it at that — and the business is really no better off                                             people in IT, HR, legal and management,
than it was before. In fact, this very scenario often                                             and everyone’s pretty much going to be on
creates a false sense of security and compliance          “Organizations that                     the same page. Like a good set of goals, they
                                                                                                  work and live by their security policies rather
which really makes the problem worse.
   Rather than stirring around at the back of the 
				
DOCUMENT INFO
Description: For the love of risk management, don't confuse policies with procedures and plans. Security policies are statements of "this is how we do things here" and procedures and plans outline how each policy will be carried out, enforced and otherwise managed. Unfortunately, these are often intermingled - creating confusion and unnecessary complexity.
BUY THIS DOCUMENT NOW PRICE: $6.95 100% MONEY BACK GUARANTEED
PARTNER ProQuest LLC
ProQuest creates specialized information resources and technologies that propel successful research, discovery, and lifelong learning.