Information Security involves many different disciplines. Some are technical, some are administrative, some are managerial. A good security professional will gain and retain skills in all of these areas as he/she moves through their career. I've spent most of my career on the technical side of things with some administrative and managerial thrown in. My new job has me focused primarily on working with policy at this time. I've been updating old policies, writing new policies and looking into just how PCI is going to affect us and what we have to do in terms of policy and technology to ensure that we are compliant. This is not an easy process, especially when you are new to a company. I still am learning how various parts of the network connect and interact with other parts. I'm still learning what it is that Management wants and what we have the technology and infrastructure to support. Then there is the decisions that were made just prior to my starting with the company. Some of them were done because it fits well with the direction that the company is heading and some of theme were made because it allowed us to put a check mark in a compliance box. If you have been reading my blog for very long you know how I feel about that.
Anyway, I digress. My point in this post is to talk about policy and how to write an effective one for your company. Of course I'm not the expert on this and I don't have all the answers and am still learning much. Much to my delight I ran across a site the other day that does a much better job than I can do. The site is The Trusted Toolkit Blog. They have declared July to be "Policy Month" and they are writing about how to create a security policy and even giving sample policies for you to download. I recommend that you keep you eye on this site this month because even if you never have to write a policy it will benefit you to have an understanding of how a policy is written and the steps involved in creating one. Not to mention that the focus on learning some "soft skills" will benefit you in the long run.
Security's Everyman
Saturday, July 07, 2007
Writing Policies
Security Urgency
There is a trend in information security (actually in IT and life in general) to tackle the urgent issues first. These are the issues that users are screaming about, management is on you about, auditors have written you up about and then things that get you noticed. No one gets noticed for the security flaw or vulnerability that they found, patched and as a result prevented a breach. You get noticed when you put out a fire that other people see. Even if that fire is in the middle of an field and is surrounded by a mote full of water. People see you out there jumping up and down putting out that fire and they applaud you. This is where the security professional needs to make a change.
How do we do this? We can't stop fighting fires because if we do then we will lose battles that we can't afford to lose and we need others to see us succeed. We have to be proactive and plan. We have to know our environment and what the threats to it are. We have to put together a plan to protect our data and get management buy in. Being proactive and getting buy in can be our biggest challenges (next to time) but they are crucial to success. Not only success in getting our plan implemented but being successful in getting out of the "Tyranny of the Urgent" cycle.
This problem is multiplied for those who are either solo IT/Security departments or part of a small shop. Fighting fires can and often does take most of your time because they are always there. That is why it's important for management to realize that just because it's a fire doesn't mean that it's a priority. You need to have a policy in place that defines what is priority and what isn't. A problem that affects only one user or doesn't impact business is not as important as getting a patch deployed that will prevent a breach. Sure the fire is visible and puts off heat where as the patch is not seen by anyone but you but it is important and has to be done.
So what is it that needs to change. Our policy? Our plan? Our mindset? Ensuring that all three constantly updated and evolving is a good idea but our definition of urgent and our priorities are key to keep us out of trouble and keep us from stomping out fires in the middle of a field surrounded by a mote full of water.
