Security Ripcord

Spinning up a new security program is no easy feat. Neither is changing the direction of one that is already in place. One of the first things that everybody identifies as necessary is policy. Whenever the auditors come through and organization or department, documented policies are one of the first things they ask to review. But policies are one of the hardest things in security, or business for that matter, to generate and update. Heck, in comparison, ethics is easier than policies. In ethics, usually, when a person has to think about something then they are probably crossing the line. But with policies how much is enough and where does it start crossing the line. By line I am talking about things such as cost efficiency, individual privacy, and any number of other questionable subjects.

I am not writing this to tell you that there is an easy way to overcome these issues. Rather, I am here to tell you that it is still tough even when you have great training, extensive resources, educated mentors and teachers, and experience peers. Policy generation will make you scratch your head, cross your eyes from staring at the monitor, print out gobs of paper to review, and force you to take long walks while you clear your head. And if you are primarily a technical individual it will make you wonder what the hell you have gotten yourself into. But if you have taken that step, if you have taken on the responsibility to generate an organizations policies, then you are probably going to see your way through to the end of the process. And that, my friends, is all that it takes.

Nobody has ever said that there is a perfect policy. To date, nobody has published a single policy to the Internet and said, “This is the policy you need to govern E-mail usage with any organization.” Of course not, it is not that simple. There are many factors to take into consideration. There are unique risks to be evaluated and leverage. And that is where the “Power of Negotiation” comes into play.

The security professional of today (yes, today, we must evolve now) must be able to work within an organization as a member of the technology department, the management department, the development department, the end-users and any other part or department of the organization. It is critical that the security professional take into consideration the aspects from all of these areas and use them to build a security plan and develop security policy. Notice that I said “take into consideration.” I used this terminology because the security professional is not required to know how to do all of these jobs. How could s/he? No, s/he must be able to talk to all of these people and give them the sense that their jobs, their everyday tasks and processes, are a part of the organization and that they will be taken into consideration during the development of these often unfunded mandates. And it is this consideration that will bring these people to the table ready to talk about security. Ready to provide their input into a process that will affect them and their peers. If the security professional can create strong working relationships with the majority of these people then they will be willing to help guide the development of security policies by negotiating their contents and creating something that can be implemented and utilized.

Of course they will require guidance. My suggestion is the following:

• Identify the group of individuals that will compromise a policy create team. Members should include representatives from all departments or, at the very least, the departments that will be affected the most by the policies. You will know, it is your organization.
• Set up a mandatory meeting schedule and stick to it.
• Find the most senior person in your organization, invite them to your first meeting, and have them express how important it is to utilize teamwork and get through this process effectively.
• Train the members of the team about policy generation. Nothing fancy, just something that will help them understand what the key elements are within a policy. A great primer is: A Short Primer For Developing Security Policies
• Develop a road map for the team and come ready with a guide that explains the policies you feel will be necessary. A good guide (WARNING: Microsoft Word document) is provided by the Texas Department of Information Resources: IS Policy Guide. Do not forget the other resources that go along with this guide.
• Provide leadership and guidance but also be humble, understanding, and patient. Remember, you may be the most experienced policy maker in the group (scary right?) and you will be looked to for every thing I just mentioned.

Modify these steps to fit your situation. They can be used when spinning up a new policies or when reviewing and updating policies that are currently being implemented within your organization. Hopefully they are useful and allow you to form and environment that permits open conversations and negotiations.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, policy, DIR, Texas, negotiating

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.