I have been an avid listener to almost all famous security pod casts and I have more often than not come across the various references to Security Policies and this blog will specifically talk about those. However first I must add that all security pod casters are very knowledgeable and I have great respect for all of them but at times there seem to some sort of confusion when they talk about security policies. Like only today I was listening to this excellent podcast which was very interesting with some great content. But then I found myself contemplating the words of the pod caster. It was being suggested that the security policies were not being updated to include new and emerging technologies like some Web 2.0 systems and other emerging technologies. Though there exists at least couple of philosophies for develop security policies. But my take has always been to keep the security policy as lean as possible like the constitution. Perform risk analysis against your core business and then come up with your security policy to include protection against those risks. Once you have them there shouldn't be a need to update your security policy whenever there is a change of technology. Though I do agree that there might be changes in the business that might change the business's risk profile and hence require a review of the security policy but other than that security policy should remain pretty static. Let me present an example. Say we have a company. One of the ways the company keeps its competitive edge is by keeping taps on whats being developed at its R and D labs. All information is tightly controlled and requires protection against unauthorized disclosure. A good security policy item for such a requirement should be very simple and should read something like:
- Security policy mandates protection against unauthorized release of data.
This one line in a security policy should be enough to cover all current and future technologies and not only that it covers and requires procedures, guidelines and standards in all three areas of control i.e, administrative, physical and technological to ensure compliance with this just one security policy item.
On the other hand procedures, guidelines and standards should continuously be added and updated to include any change in technology. Thus say if your employees start using Web 2.0 technologies to communicate out - you do not have to go back change your security policy to protect against that - actually you don't have to do anything but I will advise against that. My take is even though one doesn't have to do anything in the presence of a good security policy, its always a better to inform and update employees about your company's official stance, using some sort of advisory that refers to the original security policy item. Thus if properly done you will seldom have to go back and change your security policy regardless what technology throws at you.