Problem solve Get help with specific problems with your technologies, process and projects.

A reality checklist for an effective security policy

Here are three things to consider when writing policy statements.

If you've gone to the trouble of creating a security policy for your organization, then it should make your life...

easier, not harder. A well-designed and well-written security policy will make it more likely users will "do the right thing" themselves and less likely you'll have to nag them to comply or clean up their mistakes when they don't.

Before rushing that policy into effect, do a few reality checks to be sure the policy statements are short enough that users will read them, clear enough that users can understand them and practical enough that users can implement them.

Reality check #1: Are the policy statements short?

It's hard enough to get anyone -- users or management -- to pay attention to security. Don't shoot yourself in the foot by asking users to plow through binder-sized security policies. Instead, keep your basic set of security policy statements to three pages or less, says Sammy Migues, principal scientist at TruSecure Corp., a managed security services provider in Herndon, Va. Go longer than that, he says, and "You're probably not writing a policy anymore; you're writing processes or guides" that describe how or why you're implementing the policy.

"Each policy statement should be no more than a few paragraphs long," he says, and in some cases even shorter. For example: "All corporate systems, such as e-mail and Web servers, are the property of the company and may not be used for personal financial gain." A list of ten statements like that could easily be posted next to every coffee pot (or printed on every mouse pad) in your organization, rather than just appearing on page 102 of the employee handbook. That makes it harder for anyone to argue later that they never read the policy.

Reality check #2: Is it clear?

Besides keeping your policy statements short, make them as specific as you can. Good policy statements, says Migues, explain very simply and specifically what the user can or cannot do. For example: "No employee will load or download MP3 files onto any corporate system or forward or transfer MP3 files from any corporate system to any other device." The statement doesn't use vague terms such as illegal downloads, music files or file sharing, but describes specific technical actions that are forbidden for specific file formats.

Clearly written policy statements make compliance more likely simply because you've made it easy for the users to know what to do or not do. This is especially powerful in a job market where most employees will jump through hoops to keep their jobs, if only their boss would clearly tell them which hoops are most important.

If and when someone violates the policy, the first thing the folks in Human Resources will ask is "Was this policy ever explained to them?" If your policy statements were very specific and very clear, you can answer "Absolutely." and move on to any required disciplinary action.

Reality check #3: Is it practical?

It's all too easy (especially for someone unfamiliar with technology) "to write a policy which, if applied as written, would cost millions of dollars," says Migues. One example would be the sweeping statement that "No user will upload a viruses onto any corporate system." Enforcing that rule would require an army of temps eyeballing each and every message entering your e-mail server from any employee. But failing to enforce it makes the entire policy (not to mention its author) look weak.

As soon as you begin drafting a security policy, "you need to take into account 'Is it even practical to enforce it?'" says Deetak Kanwar, manager of security solutions for BMC Software Inc.

A more practical rule to fight viruses might be "Any system used to access corporate data, even those owned by employees, must run up-to-date antivirus software along with all current security-related patches to its operating system." Any user can comply with this using Microsoft's free patch-updating utility and the purchase of a $50 antivirus program. While this obviously won't stop all infections, it's a practical way to close the most gaping security holes.

Too many companies either don't have a security policy or, if they do, "nobody cares to read it," says Kanwar. Don't let your security policy waste away on a shelf. Instead, do a reality check to make sure it will actually make your organization more secure and your job easier.

About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at

For more information on this topic, visit these resources:
This was last published in October 2003

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.