Please Don’t Do This
A number of years ago I was asked to come in and do an information security risk assessment at a major company. Of course gathering and reading copies of relevant documentation is part of the background work necessary to orient myself to the client’s current information security situation. With this particular client, I was pleased to see that they had bought and used material from my book called Information Security Policies Made Easy. In fact, they had copied one of the templates found in that book, and used it verbatim, without any modification whatsoever. For example, where the template had “Company X,” in those spots where the purchasing organization was expected to put their organization’s name, the policy document they had posted on an intranet server still said “Company X.”
This “make no changes” practice, although an extreme example and fortunately quite unusual, illustrates one of the worst practices in the information security field. It shows that the organization doesn’t care about information security, that they are just doing going through the motions because a business partner required it, because the auditors told them to do it, or perhaps because some law or regulation mandated it. It is a not-so-subtle way of saying “we don’t even care enough to cover up the fact that we don’t care about security.” In decades gone by, perhaps some organizations could get away with this negligent behavior. Back then an auditor who didn’t know any better might be simply going down a checklist with questions like: “Does the organization have an information security policy? (Y/N).” But these days, this glaring indifference to security is not going to be sustainable for long, if at all.
Expertise Required
So it’s great that there are templates of security policies, and other information security documents, that you can start your efforts with. But you need to customize these documents. You need to make them fit with the needs of your organization and make them truly your own. If you don’t seriously customize templates, then there’s no way to determine whether they are even relevant to your environment. So let’s be clear: some person is going to need to understand what the words in the template are saying, and is going to need to determine whether they apply to the organization in question. This implies that you must have someone who knows about information security do this work. It just won’t work to have a secretary, documentation management person — or anybody else who lacks in-depth information security experience — gloss over the task of customizing an information security policy template.
Security policies always have a bunch of assumptions and decisions built into them. There’s no getting away from that. For example, policies coming from a company that operates only in America probably provide privacy only if required by laws or regulations. Meanwhile, policies coming from a company that operates in Western Europe probably provide privacy by default, and then only make exceptions to that stance when necessary to accomplish a particular important business purpose. The person who is reviewing a template is going to need to be able spot these assumptions and decisions, and is going to need to modify the policies so that they fit with the philosophy of the adopting organization.
If you’ve gotten this far in the article, you know that I’m talking about English-language policies, such as “All fixed passwords must be made up of at least eight characters, and they must include both one alphabetic and one numeric character.” I am not talking about templates that come with certain software products, such as Microsoft’s Windows 2000. In the latter, there are “administrative policy templates” that are suggested settings for access control mechanisms. Although this article is about English-language (or for that matter any other human language) policies, rather than machine language policies, in either case you still need someone who has relevant expertise to review the default template before it is pressed into production. In way too many cases of system intrusion, computers have been pressed into service without anybody knowledgeable reviewing the default access control settings, and as a result intruders have soon thereafter easily broken-in. Don’t expect your information security policy to provide anything approaching the necessarily level of security, if your organization fails to do the same review and customization with human language policies.
Credibility Is Key
As the “new kid on the block,” Information Security has to demonstrate that it is a legitimate organizational function similar to Accounting, Marketing, and Human Resources. If a policy document looks like hot air and fluff, if it looks irrelevant, or if it looks like it’s clearly not responsive to the needs of the organization in question, then those who read it will pay it no heed. They will probably stop reading after a few paragraphs, quickly concluding that this policy can’t be anything that people take seriously. So to make sure that your policy is taken seriously, it must be customized to fit the organization in question. Of course you aren’t going to be able to do a good job customizing a policy template unless you have conducted, or at least read a report by those who conducted, a risk assessment.
And nobody is going to take a policy seriously unless you have someone who is checking for compliance, and doing something about the fact that certain people, or systems, or departments, are out of compliance. So the successful use of a policy document has a lot more to it than simply doing a good job with template customization. Thus, to have a policy do the job it is intended to do, it must properly fit with a variety of controls (such as regular internal audits), and a variety of other efforts (such as internal training). And a policy cannot properly fit unless it has first been customized.
Dangerous Decisions
Granted, it is true that many people throwing together an information security policy are busy and overworked, laboring under tight deadlines and considerable stress. While it may at first seem expedient to publish an information security policy template without seriously customizing it, just to get one more item off your to-do list, it is a dangerous practice that may even jeopardize your career. Unless you find another job elsewhere, such a decision will most likely soon come back to haunt you. If you take this apparently expedient route, where you don’t seriously customize a template, you will indirectly communicate to those who read the policy that you don’t know anything about security, or you don’t know anything about the organization where the policy will be implemented, and/or perhaps you have very low quality control standards.
Just because your name isn’t listed on the policy document itself doesn’t mean that they don’t know who put the policy together. When things go wrong in the information security field, management often comes looking for people to blame. And having taken shortcuts, you will be an attractive target for this type of blame. There will be no excuses because the documentation itself is the audit trail pointing back to you.
Future Policy Direction
At some point in the future, we will be able to use expert systems and other software “wizards” that ask questions, that take in answers from users, and then generate complete policies suitable for certain environments. But there aren’t any decent commercially available systems like that today. For now, as is the case in so many other areas of information security, we are still dependent on a considerable amount of human expertise.
So don’t skimp on the customization of your information security policy document. Get somebody who genuinely knows what they are doing to tweak it and make it fit with your organization.
————————————————————————————————
Charles Cresson Wood, MBA, MSE, CISSP, CISA, CISM, is an independent technology risk management consultant based in Mendocino, California. The eleventh edition of his book entitled Information Security Policies Made Easy contains 1400+ already-written information security policies in CD-ROM format. His latest book is Kicking The Gasoline & Petro-Diesel Habit: A Business Manager’s Blueprint For Action (www.kickingthegasoline.com). He can be reached via www.infosecurityinfrastructure.com.