Writing Security Policies, the Impossible Mission

Security policies are an essential ingredient to any successful security strategy, some might even argue that policies are the most important part of security controls, but how easy is it to write those security policies? Well, not as easy as we all want it to be. Clavister’s resident security expert, Ahmed Musaad, gives a primer on policies and what to look out for.

The process of writing security policies involves three problems that face anyone who is trying to establish an effective set of policies for a company or an organization, those problems can be summarized in few lines:

• It’s extremely hard to achieve balance between security and productivity. Finding this balance can be stressful and requires a lot of effort to actually produce policies that ensure security while allowing other business units to operate in peace.
• People seem to still believe that “one solution fits all” might work for security so they take the policies written for another company and try to enforce them in their workplace, needless to say, that is a recipe for failure.
• The upside down culture within the security community teaches professionals that security is more important than other business functions when in fact security is just one of those functions with one simple goal: making sure business operates in a secure manner. This culture makes it hard for some security people to see the big picture and results in policies that might hinder daily work for employees.

This task is a complex one, and many people either take it very seriously or very lightly which ends up with the company becoming either a fortress where no one can work or an open house where the concept of confidentiality and security don’t even exist. I feel for anyone who find themselves tasked with writing and enforcing the security policies at a work place, I went through that process few times in the past few years and learned few lessons along the road which I want to pass along to those who might be trying to accomplish this impossible task, so here we go.

• Study your company work processes and procedures and identify how security interlinks with them.
• Start with a generic set of policies (e.g. ISO 27001 policy templates or SANS templates) and work towards a fully customized set of policies that fits your workplace requirements and needs.
• Always keep your eyes on the big picture, security is here to help the business achieve its mission with minimum interruptions, your company is your customer.
• Send your policy draft to people from different departments/teams within the company and ask for their feedback. Use that feedback to improve the policy and bring it closer to the balance point we talked about before.
• Be adaptive and listen to other people comments and complains about the policies you wrote, it’s an important part of the process.
• Once the policies are approved, make sure to enforce them the best extent you can, otherwise you are better off spending that time doing something more productive than writing documents that no one is going to follow because of lack of enforcement.

You picked up an almost impossible mission, but with some dedication, an open mind, and good listening skills you can achieve it and find that balance point that makes both sides of the table happy and productive.