Finding The Hidden InfoSec Story

The Little Black Dress (LBD) and Information Security Policies

Photo Credit: Idhren via Compfight cc
Photo Credit: Idhren via Compfight cc
A little black dress is an evening dress, probably originating in the 1920s.

Intended to be elegant, versatile, long lasting, to have everything that is essential and nothing extraneous. In addition it should be affordable and accessible to as many as possible. Its ubiquity is such that it is often simply referred to as the “LBD”.

This sounds like a good model for Information Security Policies. However…

There are many sources and models for Information Security Policies ranging from the freely available templates from the SANS Institute to commercial offerings including books, downloads, discs containing templates. At the top of the cost scale there are consultancy services that will provide such a service.

Over the years I’ve seen some horrific examples of how NOT to write such policies. The worst started as a two page initiative of the CIO in a well known organisation. This had to be submitted to the HR function. The draft was discussed with the trade union representing the staff and was redrafted several months later as a four page document. Words such as “forbidden” were replaced by “limited personal use” (what does limited mean?) and the sections on actions to be taken in the case of non-compliance removed altogether.

The next step involved Legal Counsel. They redrafted the policy to a length of 11 pages with dozens of footnotes, cross-references and plain language was turned into legalese. This took almost a year. The final stage of issuing the policy consisted of printing thousands of copies and distributing them to individual in-trays. There was no need to acknowledge receipt or state that the individual would apply the policy. New entrants are not given a copy as everyone appears to have forgotten about this.

The next worse policy was different – good content, concise and clear. However, the document has no metadata – Status of the document, Date of Issue, Revision Number, Approved by, Circulation, etc. There is no section on non-compliance.

Then there are the documents buried in an Intranet that you may be lucky to find (you are under no obligation to search for them) and those policies kept on a dusty bookshelf so that the auditors can be told: “of course we have policies”. Many more stories like this suggest this is not an unusual situation.

Good advice: Never issue a policy that you cannot or will not enforce.

Author: Ed Gelbstein

Share This Post On