Considerations to Keep in Mind When Implementing New Security Policies
Any time you implement a new security policy into an environment you are implementing change.
Change can have positive effects, but there are often very specific considerations when producing a new security policy that can be the difference between a policy that meets business needs and one does not.
Here are our top tips:
Top 5 Tips When Implementing New Security Policy
Tip #1: Publish Your Security Policy
Many times people spend most of their policy development efforts on building the security policies. But people forget to make them available so people know what they are. It’s even worse when you punish someone for not following a policy that is unavailable.
I was recently on a vacation where the resort implemented a policy to claim items left on a lounge chair to prevent people from reserving the best chairs while not there.
Good idea for the late sleepers, but the resort just took people’s stuff and then left a note that said they were claiming your things according to published policy.
Great, but the policy was not published anywhere. For us early risers that work on the lounge chairs in the morning, we got to watch person after person get infuriated as they found their notes.
Tip #2: Ensure Security Policy Instruction is Clear
The verbiage in a security policy needs to be clear, and also must be in the language of the audience.
Don’t use acronyms that people won’t understand, or terms that are undefined unless they are totally defined.
Most important, I generally leave all security nomenclature out of my security policies, unless the terms are strictly defined.
Tip #3: Understand Outlier Situations
There are always wacky people in your organization that will work outside the normal working conditions, which is normal for them but may break policy.
The funny thing is that these people are often abnormal in a good way. The top producers, the most creative, or the most important in your organization. Ensure that your security policies consider these people and situations in their application.
Tip #4: Understand Security Policy Liability
Make sure you think through the liability in your security policies. If you set direction to inspect every bag that comes into your building. Ok, but think through what happens if your team breaks something while doing it.
Tip #5: Match the “Why” with Application
There should be a very clear reason why you have a specific security policy. Once implemented, you need to measure if the application of your security policy, in the end, addresses the why. It’s a simple exercise, but very powerful and often forgotten.
If you have any questions or need help with your Security Policy, connect with us!
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles