The very first blog entry starts with policy, because...well, everything starts with policy really.
I once interviewed for a job a ways back; a real career move into one of those important positions. I didn't get it, but things were going as they should, when I get a fairly standard question.
To paraphrase:
"Let's say you are evaluating a new program. You have identified several policy violations during your review (I noted they were careful not to say audit). When you approach the project manager he says that he will not address whatever controls you found were lacking. How do you get him to do it?"
Naturally I responded addressing that some of the controls missing may be required by policy because they are legal requirements. Because of this, the company is legally liable to exercise due care and due diligence to ensure that they comply. This might require coordination with the legal department if it cannot be settled otherwise. I went on to say that in all other situations of policy violation I would attempt to convince the project manager why he/she would want the controls in place, the risks involved, and why they are part of policy. If the project manager was still unwilling to comply, then I would address the violations with those that are ultimately responsible for the organizations security. By this, I don't necessarily mean jumping directly to senior management, but I do mean following any security chain-of-command - ISSO, IAM, IAO, CISO, etc.
The response baffled me. I couldn't believe my ears. Could this really be? The interviewer proceeded to tell me that having a military background has tainted my vision. I understood his point - that corporations are much flatter structured than the hierarchy found in military organizations, and that you can't just tell someone to do something and have them comply, but I felt my response was accurate given that it was twenty seconds and impromptu.
The fundamental principal still applies - that policy is only as good as its enforcement and isn't much good if it is just words on paper. Then I recalled that in almost every course I've ever taken, the number one topic is winning over management support of the security program and achieving their willingness to enforce such a program. Everything starts with that. Could it be that corporate America is still struggling with this concept? Without this principal in place, how can you ever achieve any level of assurance that the organization and its programs are compliant? Not to mention if you cannot accomplish enforcement easily in a flat model domestically, then how would you ever accomplish it through outsourcing or globalization? These aren't guidelines, or sets of best practices we are talking about here. What is in policy should be items that are required except where a documented exception may be necessary.
Here are just a few reasons why policy is important:
- It provides the foundation of organizational governance
- It provides guidance as an authoritative source when questions arise
- It identifies requirements - These requirements were likely based off of some primitive risk assessment during a business impact analysis, hence their importance
I intend to do some research to address some pointers on achieving successful security policy enforcement in a flat organization in a later post.
No comments :
Post a Comment
Comments and Criticisms welcome
Note: Only a member of this blog may post a comment.