As an adjunct instructor at ITT Technical Institute for the past four years, I enjoy introducing a new topic to the newer students and then to see them a year or two later and see how far they have come.
For most, the concept of policy and more specifically, security policy, is foreign. I think they must get tired of hearing me answer: “it all depends” or “what is the policy and why does it exist that way?”
Joan Goodchild, Senior Editor of CSO magazine, wrote a recent article, The Seven Deadly Sins of Security Policy. Here are her security policy deadly sins:
It is my experience that the biggest issue is lack of buy in from the top. Without top level buy in, why should any one read, follow or believe the policies are enforceable?
For many organizations, security is viewed as the “business prevention department.” The challenge security professionals have the world over is justifying the associated expenses. Security is an expense but for many organizations, it might be absolutely necessary, even an item that be be used to differentiate it from its competition, attract employees, and have a positive impact the bottom line.
There are many deadly sins with respect to security, and the worst is something many organizations are guilty of (not being one of the seven): they have no formal security policies.