Policy formation 101

There is no tomorrow when writing a security policy. Sathya Mithra Ashok finds out what makes for an effective policy document, and how companies can go about putting together a comprehensive statement of intent.

  • E-Mail
By  Sathya Mithra Ashok Published  October 13, 2008

Once a draft has been done, it should be circulated among employees, as well as the steering committee, for further negotiation and changes, leading to an eventual consensus.

Written on stone

While that may appear deceptively simple, the truth is that organisations can and do tend to make a lot of mistakes on the way to forming their first policy. If not rectified or altered in time, these mistakes can prove to be the death knell for security in the organisation.

"Some mistakes are really glaring. In most of the cases  where I have seen policies fail, it was because they lacked an initial or sustained interest from the executives. Another issue is that from day one, the objectives on which the policy is based are faulty. The third mistake involves engineering. I have seen teams that build reams and reams of paper with policy and procedures, which no one actually bothers using. As organisations get larger, they do tend to over-engineer policies," says Prasad.

Other mistakes include getting the technical team to write the policy, instead of a specialised writer. They may also not include appropriate departments in the formation committee and work on the negative model instead of the positive one.

"Another common mistake that organisations make is not marketing the security policies properly internally. One important thing to keep in mind is that employees are already loaded with their work and you should not expect them to run after the policies in the intranet to have fun reading them. Therefore, organisations have to be innovative in the way the security policies are marketed to the employees," says Ahmed Etman, security business development manager at Cisco in the region.

Most companies let their policies remain stuck on the wall, or circulated as an internal document, without taking measures to spread the word. This is equivalent to not having a policy at all, since if the employees are not using it and implementing it in their daily lives, the company's security levels are increased no further.

Employee education on policies needs to be done by way of innovative methods, including the use of cartoons, daily tips, delivering incentives after grading knowledge (through online quizzes and competitions) or penalising behaviour that differs from the set policy.

"It is fair to say that in the majority of cases, even if there is a well-crafted, well put together security policy, it is no guarantee that one, the employees of the organisation will read it, two, understand it, and three, that they will keep to it. If a company was to simply rely on the policy being there without visible enforcements, then they are going to be dissapointed with this in due course," says Davie.

"The most important thing is getting them to understand the effects of not complying with the security policies. Generally the easiest way is by telling people what the perils are, of not following the policy. The first thing you need to do is say ‘hey guys, did you know that someone did this, and this was the result that it had on the organisation, on the person, on that team'.'   It's very important to talk about the threats and how these threats can affect them. What we used to do is run standards based training but we found that users do not relate as much to it. They relate more to incidents as compared to standards," adds Prasad.

Khan agrees saying, "Whenever there is a security violation in the company, it should be marketed all across the organisation. Only then will people start taking the security policy seriously, otherwise it has no meaning."

The firm should also take adequate measures to keep the security policy updated as part of a continuous process.

"There should be periodic audits of the policy. In a large organisation, this should be done at least once a quarter. There must be a continuous review of all the security devices, threats and patch management should be a continuous process," says Prasad.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code