Improve Security Through Meaningful Security Policies

Published: January 9, 2008

By Harry L. Waldron, CPCU, AAI, Microsoft MVP

See other Security MVP Article of the Month columns.

Policies Are Designed to Control Human Risk Factors

Every major company has formalized policies that define what people should and should not do in the workplace. Policies promote best practices and the protection of information while they discourage misuse of business assets. The overall effectiveness of policies will relate directly to how well they are communicated, promoted, and evaluated in terms of continuous improvement.

Good security requires a balance of technological and human behavioral controls. For example, a company can have outstanding technical controls and still experience security issues because people intentionally and unintentionally violate IT security policies. Technical safeguards may be compromised when a user discloses his or her password, sends out confidential information in an e-mail, or clicks on a malicious link or e-mail attachment.

Reasons Why Policies Sometimes Fail

In order for security policies to be effective, it is important to evaluate why they may not be as successful in the workplace. The following are five reasons why policies can fail to achieve their objectives:

  1. Sometimes security policies are published and distributed as a manual that may be looked at initially. However, employees become busy with daily tasks, and the security manual is filed away and forgotten.

  2. Some policies are written as “window dressing” to satisfy audit requirements, but the concepts are not followed in real life.

  3. Some policies may not be actively monitored and enforced in the workplace. People usually follow existing norms they see in the workplace. Employees may compromise security policies if doing so makes their jobs easier.

  4. Policies may not be clear enough for their intended audience. They may be too lengthy, too technical, or full of legalese. Also, the overall tone of policies may be too negative, and this could create user resistance. Finally, it is important that standards and procedures are separate from the overall policy.

  5. The lack of training and promotion of policies within the company are primary reasons for failure. Users will not integrate these concepts into their daily work practices if policies become shelfware.

Best Practices for Effective Security Policies

After IT security evaluates the effectiveness of current security policies, it must develop an action plan and prioritize this project among competing assignments. Making this a formal project will keep the need for change in the forefront as IT security professionals strive to meet daily challenges.

Do not publish IT security policies in a paper format. All policies, procedures, and standards should be published on the company’s intranet so that they can be instantly referenced by everyone in the company. This saves printing costs, and the policies can be kept up-to-date as a living, breathing document.

Write policies so that they are easily understood by everyone in the organization. Write policies in a high-level and generic manner so that employees do not have to change them as technology or business practices evolve. Click here for one of the best guidelines I have seen for policy development.

Policies need to be reasonable and realistic. Avoid the use of negative language where possible, as it can create automatic resistance. For example, a policy that states, "Employees must not use the Internet for personal use," might be improved to read, "Employees must use the Internet for business purposes." Placing policies in a more positive framework helps achieve improved compliance.

It is beneficial to include general consequences for policy violations. An example might read, "Violations of this policy are subject to disciplinary actions by your manager or supervisor." This leaves some latitude for reforming improper behavior without firing an employee; that is if the violations are not serious enough to warrant dismissal.

Keep policies separate from procedures and standards. Policies reflect high-level corporate security goals to protect the company against major risks. Procedures provide the detailed step-by-step instructions for accomplishing corporate policy security goals. Standards are detailed control methods that represent naming conventions, forms, or other approaches used in procedures. Policies are written in a manner in which the overall risk-management goal will not change often. However, standards and procedures can change frequently based on technology, business, or workflow changes.

Management must approve, support, and follow policies. Communicate policies by e-mail annually. It is beneficial to hold training or security-awareness classes when policies change or new policies are introduced. One best practice is to require an annual acknowledgment form for the employees to sign to signify that they have read and will comply with corporate policies.

Review policies often to ensure that they still meet new business or legislative changes. The corporate legal department must approve all policies to make certain they are on a firm legal foundation and will be fairly administered. Review policies from a technological perspective to confirm that they cover new devices or innovations that could pose a security risk, for example, flash drives, wireless devices, and targeted phishing attacks.

Conclusion: Use Continuous Improvement for Corporate Policies

Most employees want to do the right things that help their company stay in business and to maintain their own career paths. Employees often do not understand the impact they have on security. Understanding why policies are in place make them more concrete than only understanding the things they can’t do. Well-constructed corporate policies that are communicated properly help employees understand the company’s expectations.

Every employee plays a vital role in security. Corporate policies promote the best behavioral standards for users, which can complement technical defense systems. Security policies must stay in tune with business changes and be improved continuously so that they are effective for the user community. It is a job that never ceases.