Without going too extreme, I believe it is often possible to have better security with fewer policies and rules. But don’t be fooled; simplifying is rarely “easy”. It’s like the writer telling the editor, “Sorry, I had to submit a 100 page story, but I didn’t have time to make it shorter.

My case studies to date have all focussed on breaches due to inadequate security policies, safeguards or human decisions. I would like to start dealing with success stories. I have a hunch that there are at least a few Security Managers or executives who have done a good job of crafting policies and keeping their staff educated about security issues.

You don’t have to name names, but it would help. If your organization (of greater than 20 employees, say) has done a good job, and has a good record of keeping its house in order through the past 5 years, please submit a comment or send me an email at scott @ securityviews.com (no spaces). It can be good publicity for you.

To continue in the vein of simplicity, I recently came across the IT security policies of a major Fortune 500 company. I was pleasantly surprised at how compact and concise they were. Everything, including example scenarios fit into 40 pages, and made for easy reading. There’s no reason anyone needs more. Unfortunately, I can’t name the company yet. But I’d like to hear more about how keeping things simple (with some effort up front) has led to success.

On the other hand, taking the “easy” approach of cloning somebody else’s policies and procedures is usually risky, and not necessarily simple.