What do your policies look like? If your organization is like most, then your policies are probably voluminous and all-encompassing. This is a good thing – or is it?

Probably one of the most painful aspects of being an infosec professional is having to author or review policies. (Audit is the other painful aspect.) When you first entered the field, you had dreams of hacking the planet, but as you move along and progress, you may find your skills starting to fade as you slowly become more “managerial.”

Moving up the food chain is excellent for your finances and your professional development, but it comes with the price of being branded a “policy wonk.” Ouch!

I have previously written about career progression in a corporate infosec environment, and I am confident that these promotions are excellent on both an individual level and equally great for the progression of the infosec profession.

As you find yourself in the position of authoring policies, how do you proceed? Do you like to include everything possible in that policy?

One of the great curses of comprehensive policy documents is that they are only used when something goes wrong. The battle cry of “did you follow the policy?” is usually met with one or both of the following responses:

–I didn’t know there was a policy; and-

–What policy?

Like any good presentation, you must know your audience for your policies. Most system administrators neither have the time nor interest to read a 45-page document about the baseline configuration for a firewall or other network appliance.

Similarly, an employee is not going to study your equally long security policy. These lengthy tomes become the equivalent of those end user license agreements that we all tend to ignore in search of (Read more...)