Re Where to find a example security policy?

[Brian Ford <brford () cisco com>]

Andy and Aaron,

I thought your advice on the "4 E's" was excellent with regard to Internet Acceptable Use Policy.  But with respect to 
overall Security Policy there are some areas where your suggestions break down.

You spoke about policies and culture.  It is nice to think that a group of employees working for the same company could 
come together, draft and publish such a policy document. In my experience many times these efforts go side ways when 
employees can't agree on specifics (like exactly which applications should be supported by the company) or ignore the 
reality of how the corporate network works (how much Internet can you push or pull over a T-1 line?).  Yes, many 
employees want to do the right thing and "just need to know what is right and what is wrong".  Often it's difficult to 
get them to agree on right and wrong (after all they are human).

The most successful effort to develop and put in place a policy that I ever witnessed involved a draft that was written 
by the IT department (that was 3 people).  It was based on the companies specific environment (applications, network, 
etc...).  It was forwarded to the CEO who read it and discovered that he had to ask questions to understand various 
chunks.  But after he asked and got answers to all his questions he drafted a memo to all employees.  In that memo the 
CEO discussed the objective of putting the policy in place, defined the policy, and how it should work.  

He followed that up with an all employee meeting.  That resulted in questions from employees about how various things 
should work.  Questions about use of applications.  A lot of questions about backing up data.  The IT department wound 
up bringing in some trainers who then focused on those employee questions.  It wasn't "rammed" as everyone was given an 
opportunity to ask questions.  The policy as defined by the CEO went into place.  

After the security policy was in place the IT group went back (working with management and HR), drafted, and 
implemented an acceptable use policy.  And by that time all employees were "pulling the oars in the same direction".  
It made sense.  It was worded so that everyone understood what was in and out of bounds behavior. Many employees signed 
off right away.  But they still had folks who objected.  I believe that company made renewal of the policy part of an 
annual review (not sure).

I've wanted to write about this effort for some time.  This wasn't my employer.  The company involved has no interest 
in being "a reference" for such a paper.  So, the best I can do is this.

Lessons that I learned from that company were that you can't assume everyone will understand the policy.  You have to 
deliver it in "plain talk" format.  You have to follow up, solicit questions (and objections), and talk to people about 
it.  Education is important, if not critical to success.  The policy has to apply to everyone, and be enforced equally 
on everyone. Imagine the scene when an employee claims wrongful dismissal and proves that the executive staff (or 
others) are not held to the same "all employee" standards.

And no matter how much good work you do some people will ask if they can "opt-out".

Regards,

Brian


Brian Ford
brford () cisco com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards