Considerations to Keep in Mind When Implementing New Security Policies
Any time you implement a new security policy into an environment you are implementing change. Change can have positive effects, but there are often very specific considerations when producing a new security policy that can be the difference between a policy that meets business needs and one does not. Here are the top tips:
Top 5 Tips When Implementing New Security Policy:
Tip #1: Publish Your Security Policy – Many times people spend most of their policy development efforts on building the security policies. But people forget to make them available so people know what they are. It is even worse when you punish someone for not following a policy that is unavailable.
I was recently on a vacation where the resort implemented a policy to claim items left on a lounge chair to prevent people from reserving the best chairs while not there. Good idea for the late sleepers, but the resort just took people’s stuff and then left a note that said they were claiming according to published policy. Great, but the policy was not published anywhere. For us early risers that work on the lounge chairs in the am, we got to watch person after person get infuriated as they found their notes.
Tip #2: Ensure Security Policy Instruction is Clear- The verbiage in a security policy needs to be clear, and also must be in the language of the audience. Do not use acronyms that people will not understand, nor terms that are undefined unless they are totally defined. Most important, I generally leave all security nomenclature out of my security policies, unless the terms are strictly defined.
Tip #3: Understand Outlier Situations – There are always wacky people in your organization that will work outside the normal working conditions, which is normal for them but may break policy. The funny thing is that these people are often abnormal in a good way. The top producers, the most creative, THE MOST IMPORTANT TO YOUR ORGANIZATION. Ensure that your security policies consider these people and situations in their application.
Tip #4: Understand Security Policy Liability- Make sure you think out the liability in your security policies. If you set direction to inspect every bag that comes into your building. Ok, but think thru what happens if your team breaks something while doing it.
Tip #5: Match the “Why” with Application – There should be a very clear reason why you have a specific security policy. Further, once implemented, you need to measure if the application of your security policy, in the end, addresses the why. Simple exercise, but very powerful and often forgotten.
If you have any questions or need help with your Security Policy, connect with us!