What makes a good security policy
Image via Wikipedia
Luckily we have Google. Using google you can find pretty much everything these days, especially if it has some relation to IT. Security policies are no exception, google yields about 6.000.000 results at the time I am writing this, with the SANS (SysAdmin, Audit, Network, Security) Institute featuring prominently as a top result. There are many to choose from but this is also a good indicator that one size does not fit all.
Every organization should develop their own Security Policy (any policy for that matter) and a cut and paste across organizations will just not work. A good security policy is a a compromise between several factors out of which the most important factor is that it has to be usable. Usable can be defined in several ways depending on the context.
- In the context of the System Administrator a good security policy needs to be implementable. User education is great and yields good results however some policies need to be enforceable system-side.
- For the user a usable security policy means a readable policy, something that they can relate to and understand.
- For the security specialist it means a policy that can give enough control to perform a relevant audit
- For the business a good security policy is one that provides reasonable level of protection but does not interfere with business processes. This is what makes a security policy so organization-specific.
Probably you can’t achieve all these points in a single document, especially if you want your users to read that policy. In order to have a good and successful security policy that your users will believe in you need to “sell” the policy to the organization. For a good sale you should probably develop a short version of the policy containing only the essence of the policy and only what really concerns the user, while still referencing the full policy for who would like to read it.
Good security is achieved both trough technology but especially trough people. Use a good policy to describe what your organization is trying to protect, how the user can play his part and sell the policy in such a way that people trust in it. Never forget that your purpose is to help the business, not to hinder it’s evolution.
A good read:
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=2b906941-e6d8-46b4-877c-6aaaad31b950)