On a conceptual level, virtually no executive would argue against the need for well thought-out security policies and procedures. Thinking security through clearly, writing down the steps to be taken, and making sure that each employee is aware of them is made more of a no-brainer by legal and regulatory compliance requirements.
The bottom line: If a company loses data, it could be in trouble. If it loses data and hasn't created a reasonable set of policies and procedures, it definitely is in trouble.
Setting policies isn't easy, however. In this ComputerWorld piece, researcher Anton Chuvakin offers five flaws in most companies' security policies. The first is not really a flaw in the policies -- it's not setting any at all. It logically follows that the next flaw is not updating the policy as the organization's standing -- and its technical holdings -- shift. The third flaw is having a policy, updating it -- and not ensuring that employees know what is going on. Focusing too much on technology and not enough on the real world and how employee act is the fourth class of mistake. Finally, Chuvakin writes, policies must be written in understandable language. This, of course, is something with which IT sometimes struggles.
This is a very good piece about security policies written by Gene Schultz, the chief security information officer of High Tower Software. It also is the first of three installments to date on the topic (the later two are linked to from the posting). This installment is a bit of an overview. Schultz begins by saying the security policy when he arrived at Tower did not cover the situation that actually existed in the company. It also had provisions that employees would find hard to execute. He then describes how he rectified the situation, starting with a conversation with the CEO. Schultz considers policy to be a high-level document that provides guidance and direction. Standards and procedures are derived from the policy and are more of a tactical roadmap on how to fulfill the policy.
Policies are growing more important and more complex. The difficulty of comprehensively protecting data is growing in lockstep with its portability. This Cisco study suggests that employees working from home are more apt to relax and not remember that they must adhere to security policies just as they do in the office. Likewise, telecommuting leads to more non-employees, such as family members, using equipment. These folks are not cognizant of, or covered by, the security policies.
This useful overview of security policies from Symantec does contain some company hype but is, for the most part, neutral in tone. The piece begins by outlining the benefits of having a policy. The second element offers tips on formulating policies. It includes a pyramid describing the structure upon which the policies are built. The layers are the actual environment; security measurement tools; procedures, guidelines and practices; standards; and, at the top, the resulting policy. Perhaps the most useful element is a listing of almost 30 standards and regulations that must be accounted for in security policies (depending, of course, upon the industry). Links to more information about each are included.
The final summary inadvertently makes a good point about policies in general. A beneficial security policy is a complex undertaking that requires a great deal of deliberation. Indeed, it seems extremely easy to create policies that actually harm the organization by creating a false sense of security.