Wednesday, November 28, 2007

On policy writing

I have been working on documenting how information securities should be written and implemented. The gist of it is:

Only write a policy when there is a real need to do so. When a policy is written, keep it as short as possible. Make sure that any requirements identified in the policy can be monitored and enforce compliance. Always make sure that implementing a policy does not prevent necessary work from getting done, or incur unreasonably high costs. For this reason, all policies should identify if deviation of the policy is permissible and if so, which role may authorized these deviations.


When I sent out the full document for review, one of my coworkers come up with the following gem:

"As XXX can attest, the sysadmins have been looking forward to the time when some policies might be implemented, though I would say that we envisioned policies that applied to the user community, rather than ourselves " I thought that was pretty funny :-)

And on a totally unrelated note: SANS just published their new SANS Top-20 2007 Security Risks (2007 Annual Update) report. I am sure that many other bloggers will comment on it, so I will refrain from doing so. For example, terminal23 blog was the first one that I read.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.