Keep security policies brief and easy to follow

The first step in any security technology implementation is a good security policy. That’s not news. But how does one build a solid policy on which to work?

Keith Parsons, security specialist with a chartered Canadian bank, suggests that the key to a good security policy, or indeed any policy, is management buy-in. Everyone, he said, should be governed by the same rules, or they become a bitter pill for employees to swallow.

Asking workers to adhere to a no-smoking policy, while the president sits in his or her office smoking a cigar, is more likely to become a running joke than something enforceable, Parsons pointed out.

As far as security goes, “you have to focus on making management aware of the risks” both to the company and to a lack of policy.

The right kind of security policy can help companies in a legal bind. If an organization has fired someone for accessing Web sites the company deems as “immoral” or “wrong,” the company must show it had a policy stating that visiting those sites would lead to dismissal, Parsons said. “Without policy an organization is at risk.”

Assessing the security risks can be difficult and is often more reactive than proactive, according to Rosaleen Citron, CEO of Burlington, Ont.-based IT security provider WhiteHat Inc. She said it’s very hard to know where the holes are and where the breaches can occur.

“That’s why we recommend having an assessment done. People really need to talk to security companies, or groups, like one the RCMP has that can help with policy and assessments,” she said. The RCMP information is at

One Mississauga, Ont.-based security consultant said too many organizations take a “if it ain’t broke, don’t fix it” approach to security plans. They are reluctant to address security issues, so a breach must occur before security is addressed – and that’s how most security policies come into place.

Another pitfall to policy implementation is enforcement. Tome Slodichak, CSO at WhiteHat, said a policy is important, but it’s only a piece of paper unless it can be enforced.

He suggested companies decide who will own the policy – often human resources – because that person or department will be the one carrying the big stick in terms of repercussions.

Parsons said policy needs to be thought of as a law. “If you fail to comply with policy there are heavy penalties.”

The policy, he said, should state the position of the company, and that the best ones are very clear as to what the company will and will not tolerate.

Citron noted that a security policy is often an umbrella for policies on e-mail, Web browsing, using internal servers and devices. She also warned that companies need to keep an eye on privacy legislation and how that will affect their plans.

Parsons had a few suggestions for companies writing new or updating policies: keep it brief, take into account business processes, review it annually, make it easy to read and easy to comply to, and keep it relevant to the topic and information at hand.

Others say management must constantly articulate what business the company is in, and what the business objectives are, as policy is built in line with that.

Slodichak added that policy has to be matched to employee culture and has to meet reduction in liability goals for the company without stepping on that culture. He stressed the importance of keeping it brief and easy to understand, or the policy will start to breed contempt.

In keeping with this, Slodichak said, policy needs to be rolled out properly. “Don’t just drop it on someone’s desk, or put it in inter-office mail and say, ‘Read this and comply.’ You’re not going to get buy-in.”

Parsons said just putting policy out there, like it’s done in a vacuum, will not work. Again, he said, make sure everyone is behind this policy and that no one is excluded from following the rules laid out.