PODCAST: Security Policy: Fact Fiction or Implement the Marquis de Management

CJ Cox talks about the highs, lows, hows and why’s of security policy.

// Show Notes

  • Why are we doing this?
    • Do you hate your audience? GDPR was bad enough.
    • My Methodology
      • The Rant
      • Cross between Bob Cat Goldthwaite and Dennis Miller
    • Policy is the foundation to the foundation
    • Don’t we all just love Policy
      • If I’m going to do this, I’m going to do this right
    • Law and Policy 16th street mall
    • Bad Policy Gov’t 1,000s of pages, Shelf-ware
      • Don’t let the Tail Wag the Dog
    • The challenge of the small organization. We are all resource constrained. If not help the rest of us out eh?
  • Resources
    • Steal it, borrow it, sample it ,
    • SANS Policy page free 99
    • Charles Cresson Wood ver 10 $990 version 8 $9.00 cd 740 pages
      From the book of Wood “He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.”
    • Articles
    • Surveys show policy reduces breach occurrence…19-46%…Full Policies 57-93% …
  • Nuts and Bolts
    • Policy Procedures, Standards, Guidelines what’s the difference
      • Divide and Conquer
        • Framework/Buckets
        • Keep it simple and grow it
          • Sample:
            • Layer 1
              • Systems Security
              • Data Security
              • Account Management
              • Passwords
            • Layer 2
              • Training
              • Personnel Security
              • Acceptable Usage
            • Layer 3
              • Incident Response
              • Assessment
      • For each box create policies, standards, guidelines, and procedures
  • Guidance
    • Bob’s Policium Concisium: Advice on Writing Security Policy “The great curse of comprehensive policy… is that they are only used when something goes wrong. The battle cry of “did you follow the policy?” is usually met with … the following response, “What policy?” [1]
    • Keep is short, clear, and concise.
      • A foolish consistency is the hobgoblin of little minds.
      • Remember the 10 Commandments…
      • How about the FAR?
        • The FAR $2.08 2,017 pages “The Federal Acquisition Regulation (FAR) contains the uniform policies and procedures for acquisitions by executive agencies of the federal government.”
      • Constitution of the US….
      • Are Policies enforceable?
      • Are they measurable?
  • Process
    • Set Priorities
      • Are you starting from Scratch?  What is really important—Look at your incident record
      • Management and User Buy in
        • Management is not stupid
      • User Group?  Management Leverage?  Buy in.  Get influence…if you don’t have influence…get it.  Until then keep it manageable.
    • Support
    • Stake in the ground
    • Format
      • Introduction
        • Purpose
        • Quick Definition
      • Scope
        • What are the boundaries and the subject matter
      • Roles
        • Who has to follow this
        • What are differences for different groups
      • Definition
        • Define your terms.
      • Policy
        • What, where, when, How
        • Is there a problem with bullets?
        • Try to make it easy to read
        • Acronymns  only one you need to know AFS
          • Only good one is DEFCON
      • Version
        • Track the history and dates
    • Review
      • As many stake holders as possible
      • Peers, IT, etc
    • Draft, Publish, Train, Feedback
  • Track Everything
  • Organize Everything
  • Conclusion
    • Make it a priority.  It is important
    • Have a Vision and a Plan
    • Use best practice (steal)
    • Effective
    • Keep it alive and dynamic

https://www.slideshare.net/Info-Tech/develop-security-policy

https://www.sans.org/security-resources/policies

[1] https://securityboulevard.com/2017/11/policium-concisium-advice-on-writing-a-security-policy/