This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Myth #3: Security policies must be comprehensive
Most security pros dread implementing and writing security policies because they assume these policies have to be exhaustive documents that address every aspect of IT and business procedures. A poll conducted at a recent Information Security Decisions conference found that many enterprise security pros have bought into the "more is better" approach. More than one-third have rolled out security policies longer than 20 pages, and nearly one-fifth have policies longer than 50 pages.
Documents of this length may be complete, but they're hardly accessible, and probably ignored.
Security managers fail to realize that the more work that goes into a policy document, the longer it takes to roll out and the greater the chance that parts of it will be obsolete as soon as it's pressed into action.
Whether you have a 50-page policy or no policy at all--as is the case with 14 percent of those polled--G. Mark Hardy, president of security consultancy National Security Corp., advises that enterprises create a one- or two-page high-level policy statement that includes the company's mission and objectives, as well as the guiding principles for and restrictions on the use of organizational property, resources and content. The succinctness of a "big picture" summary document will increase employee acceptance and boost compliance with the policies that matter most.
#4: Security is a feature
Lots of managers view security as another feature of the infrastructure--something you install, configure and administer, like a remote management application. But, security is neither a feature nor a product.
"Security is a nonfeature requirement," says Counterpane's Schneier. Features in applications, for instance, are designed to allow input A to produce output B. Security is the mechanism that enables that activity to happen safely.
Security is better positioned as a subset of reliability, says Dan Geer, VP and chief scientist of insider security monitoring software vendor Verdasys. "Security is a means, not an end; reliability is an end, not a means," says Geer. The goal of reliability is to ensure the confidentiality, integrity and availability of data and data resources. If data is reliable, it's secure, but security alone doesn't make it reliable.
This was first published in January 2005