Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

The policy bootstrapping problem.

Here’s a question for you all playing along at home:  do you ever delay rolling out a new official security policy?

There are plenty of policies that cost money to implement:  systems have to be reconfigured, applications have to be rewritten (and in some cases massively redesigned), business processes have to change—these all cost time and money that your organization may not have in sufficient amounts.  You want to do the right thing, but you know you can’t do the right thing all at once.

So do you put the policy on the books, knowing there’s a risk that auditors will come along and use the policy against you because you’re not actually quite following it just yet?

If you don’t publish the policy, how will people know about it so that they can start following it as soon as they can?

I tend to cheat.  I roll them out as guidelines first.  I start talking them up, especially to the groups that are best positioned to start following it early (such as those writing a new application), and warn them that at Some Point in the Future, they’re going to become official, so I’d like to help them work on aligning with them now.  This creates the impression that I’m trying to help them get a leg up—why, it’s almost like helping them cheat on a test that hasn’t come up yet.  The news is often received better that way, as long as nobody panics when they first hear of it.


More what you’d call “guidelines” than actual rules.
(Only a few days late posting, me hearties ...)


Posted by shrdlu on Saturday, September 26, 2009
(4) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Bring in 'da noise, bring in 'da FUD.

Previous entry: When 'high availability' isn't good enough.

Comments

Ben United States on 09/27  at  10:17 AM:

I’ve used a similar cheat in the past. I’ve released “draft” policies or standards (more the latter) with an expected go-live date well in the future (one that’s fully amendable). All the communication focuses, then, on “this is the expected performance going forward.” fwiw.

dunsany United States on 09/29  at  02:31 PM:

Yes, I do that.  But my “best practice” is to start by explaining the problem to the leaders of the biggest business group involved in the policy change. Then I help “lead them” along working out a new set of general objectives, while I do lots of nodding and “good idea!”.  Then I offer to write up what they suggested and present it back to them as a new policy.

rybolov United States on 10/22  at  07:13 PM:

Oh come on, they just don’t make BSOFH’s like they used to.  =)

A good BSOFH knows the meanings of the words “should” and “shall” and uses the former in policy when it’s a guideline and the latter when it’s something that you really want done.  Then later on you do a replace and “should” becomes “shall” and is published along with the changes diff so that they can see what is now mandatory.

Boo-yah, policy in a nutshell.

Dunsany has much wisdom.  You sure he’s a full-time cartoonist?

shrdlu United States on 10/24  at  11:17 AM:

@rybolov:  You’re betraying your public sector background, y’know ... wink 

And I’ve always wondered what the purpose was of putting “may” in a rule ...

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: