CJ Cox talks about the highs, lows, hows and why’s of security policy.

// Show Notes

* Why are we doing this?

Do you hate your audience? GDPR was bad enough.

My Methodology

* The Rant

* Cross between Bob Cat Goldthwaite and Dennis Miller

Policy is the foundation to the foundation

Don’t we all just love Policy

* If I’m going to do this, I’m going to do this right

Law and Policy 16th street mall

Bad Policy Gov’t 1,000s of pages, Shelf-ware

Don’t let the Tail Wag the Dog

The challenge of the small organization. We are all resource constrained. If not help the rest of us out eh?

* Resources

Steal it, borrow it, sample it ,

SANS Policy page free 99

Charles Cresson Wood ver 10 $990 version 8 $9.00 cd 740 pages

From the book of Wood “He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.”

Articles

Surveys show policy reduces breach occurrence…19-46%…Full Policies 57-93% …

* Nuts and Bolts

Policy Procedures, Standards, Guidelines what’s the difference

* Divide and Conquer

* Framework/Buckets

* Keep it simple and grow it

Sample:

* Layer 1

* Systems Security

* Data Security

* Account Management

* Passwords

* Layer 2

* Training

* Personnel Security

* Acceptable Usage

* Layer 3

* Incident Response

* Assessment

* For each box create policies, standards, guidelines, and procedures

* Guidance

* Bob’s Policium Concisium: Advice on Writing Security Policy “The great curse of comprehensive policy… is that they are only used when something goes wrong. The battle cry of “did you follow the policy?” is usually met with … the following response, “What policy?” [1]

* Keep is short, clear, and concise.

* A foolish consistency is the hobgoblin of little minds.

* Remember the 10 Commandments…

*

* How about the FAR?

* The FAR $2.08 2,017 pages “The Federal Acquisition Regulation (FAR) contains the uniform policies and procedures for acquisitions by executive agencies of the federal government.”

* Constitution of the US….

* Are Policies enforceable?

* Are they measurable?

Process

Set Priorities

Are you starting from Scratch?  What is really important—Look at your incident record

Management and User Buy in

Management is not stupid

User Group?  Management Leverage?  Buy in.  Get influence…if you don’t have influence…get it.  Until then keep it manageable.

* Support

* Stake in the ground

* Format

* Introduction

* Purpose

* Quick Definition

* Scope