One of my first tasks after leaving NSA for private industry in the early 90s was to write my new company’s information security policy. I’m not sure my previous job as a cryptanalyst left me qualified for this, but I was viewed as the security guy. So, I attacked the task with vim and vigor.

That first information security policy I wrote was a thing of beauty. I scoured the Orange Book and other resources to find every security requirement that might help us prevent a security incident. I picked the most rigorous option for every security control. There was no way we were going to get hacked. Not on my watch.

The policy came in at just under 100 pages. It was completely unusable. It was completely ignored.

I’ve learned a lot about effective security governance documents since that early fail. One of the unexpected and quite frankly most effective lessons learned is developing the audit program in parallel with a security governance document. The actual audit has value, as well, but I believe the planning for the audit prior to policy approval is even more important.

Mandatory and Auditable Statements

You need to be clear about whether you are writing a mandatory policy or procedure or a helpful guideline document filled with recommendations. Mandatory security governance documents are filled with sentences that use “must” or “shall.” These are not optional good security practices that are encouraged or security controls to consider. They are firm requirements that carry consequences if they are not followed.

Security governance documents in which only some of the security requirements are considered real and enforced are unfair to all. How are the employees to know which “must’s” or “shall’s” are serious and which are only guidance? You risk losing the benefits of the (Read more...)