One of the cornerstones of security is policy and as much as most of us dislike writing them, without them we are all pretty much floundering around. So today’s tips relate to developing and distributing policies.
We’ll get the basics out of the way. Why do we need policies? Policies outline the do’s and don’ts for the organisations. Staff and management both know where they stand in relation to important issues. Policies also help modify behaviour, people are surfing for porn, you put a policy in place to help modify that behaviour.
So what do we need? These are the few of the duh points, but important nonetheless:
After writing the polices you will need to make sure it is disseminated. There have been plenty of examples over the years where people have been sacked and then re-instated because of weak or policies that weren’t enforced or enforced inconsistently. The traditional methods are publishing on the intranet, as part of the induction process, document management systems, etc. A good idea is to develop a quiz which must be taken by staff. That way the lessons are reinforced and you have a register of who has read and understood the policy.
So which polices do you need? It depends on the organisation and if you are working to standards like ISO/IEC 27001, or SOX, etc. The basic ones I think you should consider are:
That’s a quick start to the day, send in tips for disseminating policies, reinforcing the message, some good practices and the bad.
Mark H - Shearwater
Oct 6th 2007
1 decade ago