Comments on: I’m Sorry Sir, But That’s Our (Security) Policy

by: 3 Steps to Planning a Security Policy | Anti Best Software Spyware Virus

Thu, 22 Nov 2007 13:58:13 +0000

[…] 1) Wright, Scott. “I’m Sorry Sir, But That’s Our (Security) Policy.” Security Views. 20 Feb. 2007. http://securityviews.com/blog/2007/02/20/im-sorry-sir-but-thats-our-security-policy […]

by: Simone D.

Mon, 26 Mar 2007 09:00:03 +0000

You are right … maybe i don’t trust very much people … but i think that all i can ‘force’ is more secure than any sanction

For what i can’t check i have to create a policy, but sincerely i think it can’t consider ’secure’.

by: Scott

Mon, 26 Mar 2007 03:21:02 +0000

@Simone - From your comments, I gather that you are primarily concerned with “automated policy enforcement”, such as those found in many products. Often you can set what users, roles and groups of users can do. You are correct, as usually you can prevent abuse of these policies if you have them set properly.

But what this view misses is the “non-automated policies”. Automated policy enforcement are a very small subset of what should be an organization’s IT Security Policies, and its global “Security Policies”.

The top level Security Policy could cover things like having a printed “Access Control List” for entry into the Operations area. While this might be handled by access control systems, it may be a security officer checking badges against the lists.

An IT Security Policy should also cover many policies that can’t always be enforced by software control. Things like “Acceptable Use Policies” for a whole organization define how the computer systems may be used, and how they may not be used. This is where the idea of “Sanctions” come in. If there is evidence that someone is operating a part time business on eBay from their workstation, the IT Security Policy should say that this is grounds for revoking their computer system access, or even more likely, for dismissal.

Sanctions for an employee breaking a policy should act as a strong deterrent from abusing the privilege granted to them by the organization.

by: Simone D.

Sun, 25 Mar 2007 09:42:54 +0000

Really interesting topic!
I’m not sure about the 4th rule “What sanctions are applicable when policy is not followed” (i’m thinking about IT security).

Sanctions are applicable when a policy is not followed … but if i decide for a policy don’t i force it?

If there is a policy “this is not allowed” it is NOT allowed … if you try to do it simply doesn’t work.

Or do you think that is enought create policy and check constantly that people respect it?

I’m interested

by: mroonie

Tue, 20 Feb 2007 18:34:50 +0000

Great topic to write about. I think a lot of people are lost when it comes to company security and you broke it down really nicely. I’ll have to write an article on this topic. Thanks for the inspiration! Is it okay if I pull some quotes from this post for my article?