Thursday, December 20, 2007

InfoSec Policy - why not?



Most people in the IT field dread anything that relates to documenting "how" to do something related to their positions. Why should we? It's all up here (point to your forehead - i.e. the steel trap).

I'll be honest. Documentation isn't my FAVORITE thing to do. But then again, neither is working, period. So why am I writing about infosec policy? Because time and time again, we come up short; whether that means our infosec policies don't exist at all, or they cover only "Acceptable Internet Use", or they're:
  1. Super long
  2. Super hard to read
  3. A super waste of paper and hard drive space
Why do we all fall short in the area of actually writing information security policy? I've got a couple opinions, and the masses can disagree with me if they want (I know you're out there).

First opinion: we get lost in thoughts of the policy having to cover everything. That's like saying, "I don't want to create any laws because I want to make sure that no one commits any crime." Not possible! But wouldn't we be better off having 5 laws versus no laws? Don't murder, don't steal, don't lie, don't litter, and don't be a jerk. I would think the world would be a better place having those 5 laws versus NO laws whatsoever. Same goes with an infosec policy. You might as well get started now, because anything you outline and document is better than nothing at all.

What does policy mean? "A definite course of action adopted for the sake of expediency, facility, etc."

How do I define it? It's a blueprint. Plain and simple. You wouldn't build a house without a plan, right? Why would you build a holistic security strategy without a plan on what you're going to do, how you're going to do it, who will be responsible for which parts, etc. It's that simple. Seriously.

But wait, here comes the second opinion. Blueprints are big. REALLY big! Not necessarily, my peoples. They're a guide. The blueprint doesn't have to be the SIZE of the actual house. Neither does your infosec policy. I was at a security seminar a few years ago, and the guy (can't remember his name) asked the audience if their companies had an information security policy. 25% of the audience raised their hand. Then he asked how big the policies were and what they covered. I'll never forget this dude from IBM raising his hand and telling everyone that their infosec policy was 5,000 pages long.

C'mon, seriously. Whoever or whatever team wrote that pile of crap obviously liked to hear themselves type or were a bunch of reefer addicts. I would take that thing out into a parking lot and light it on fire, and then start over with something that someone WOULD ACTUALLY WANT TO READ.

Isn't that the point? For people to read it, understand it, and follow it's direction?

So my goal, and what I was taught, is that it should be clear, concise, and written at a 7th grade reading level. I shouldn't have to bust out the dub-dub-dub in order to understand what I'm being held accountable for. Right? Thanks for agreeing...

What is the point of this post? Start working on something now. And don't do it because HIPAA, SOX, or PCI made you. Do it because you need and want to do the best thing for the positioning of your security posture. Stop talking about it. Stop saying, "We don't have an information security policy." Start doing.

A general information security policy could start by putting together a quick one or two page outline of how the organization takes security seriously, and it's goals. Then start on the sub-policies that actually define specific areas.

What are sub-policies?

  • How do you administer changes to the firewall? Who approves the changes? Now you have a Firewall Administration policy.
  • What can I do with my computer? Am I allowed to hack Switzerland? Now you have an Acceptable Computer Use policy.
  • Do you have third-party organizations connecting to your WAN/LAN? How should they connect? Now you have a Third-Party Communications policy.
  • Am I allowed to use a signature including my e-mail address, phone number, title, and address when I post to my favorite tech forum? Now you have an Information Dissemination policy.
I know I'm making it sound ridiculously simple. But then again, it kinda is. It's NOT rocket science. Why? Because rocket science IS rocket science. Infosec policy writing, isn't.

If we just start doing, instead of talking, we can all get through this process. We have to. Every solid security organization depends on it. I promise.

Respect it.