policies people can read

Writing Security PoliciesThat People Can Actually Read!!!

© 2011 Network Computing Architects, all rights reserved

With Your Host: Brad Bemis

(CISSP, CISA, and Known Troublemaker)

Shameless Self-Promotion• Brad Bemis, CISSP, CISA, ABCDEGFHIJKLMNOP…

– Senior Security Consultant with NCA in Bellevue WA

– 20+ years in the information security industry

– AAS in Personnel Management (i.e. HR)

– BS in Information Technology

– MS in Education (Underway)

– + Business & Psychology

– Highly opinionated

– But mostly right ;-)


http://www.ncanet.com/

http://www.secureitexpert.com/

The Standard Disclaimers• I am not a lawyer, nor do I play one on TV

• Policy development is a subjective topic

• There are several different approaches

• Lots of policy presentations out there

• This one will be a little different

• Non-traditional approach

• Everything is changing

• Gotta keep up!!!


Here‟s The Challenge


Turning This: Into This:

Where we‟re at Today• How many of your employees:

– Know where your policies are?

– Have spent time reading them?

– Know what they say?

– Understand what they mean?

– Make an effort to comply with them?

– Help make sure that others comply with them?

• The numbers usually start low with the first question

• They tend to get lower as you move down the list!


Conventional Wisdom

• For a security policy to be successful:

– Must have management support

– Must have an assigned owner

– Must establish clear roles and responsibilities

– Must be relevant to the organization

– Must be focused, realistic, and enforceable

– Must adequately address security needs

– Must align with risk management principles

– …and so on. Sure, but what else?


Traditional Approach


Policies

Standards/Guidelines

Processes/Procedures

Why It‟s Not Working

• First of all – users don‟t care what we call things!

– They just want to get stuff done – their stuff!!

• We tend to write for the wrong audience

– Auditors, legal types, technical people

• There‟s usually way too much material

– 30 different documents, 300 pages of „stuff‟

• They‟re not really put together very well

– Intro, applicability, scope, purpose, etc.

– More words used to describe than to state them!


A Couple of Other Key Issues

• We often use the wrong kind of language

– Formal vs. informal – directive vs. conversational

– Punitive vs. positive – stick vs. carrot

• We don‟t make them very easy to find

– Most policies are buried on some obscure site

– They‟re usually just collections of „stuff‟

• We try to bridge an enormous gap ineffectively

– Thinking that „awareness‟ is the answer

– Great campaign points to bad policy


Let‟s Talk Basics• What a security policy is:

– A statement of intent or commitment

– A principle or rule to guide decision making

– A description of organizational expectations

• What a security policy is not:

– A legally binding contract

– A document written for auditors

– A vehicle for placing blame elsewhere


A Compliance View• What PCI says about policies:

– Have one! Make sure it covers PCI topics! Maintain it!

– You can read requirement 12 if you want the details

• What HIPAA says about policies:

– Implement policies to avoid/manage security violations!

– Check out section 164.308 for additional information

• What SOX says about policies:

– Or rather, what‟s your auditors interpretation of SOX?

– Policies are pretty much a given no matter who you talk to


Here Comes the „But‟• Not a single one of these requirements says:

– Policies need to be a long, drawn-out affair

– Policies need to be written like legal documents

– Policies should be filled with contractual language

– Policies have to address every possible eventuality

– Policies exist for the sole purpose of making auditors happy

• Why then do we see so many policies written this way?

• What can we do differently as an industry to change this?

• How do we write security policies people can actually read?


There IS a Way…• Understand the purpose and context

• Define and analyze your audience

• Frame up your overall message

• Use conversational language

• Leverage visuals if you can

• Educate and entertain

• Simplify everything

• Make it a tool!!!


Purpose and Context • What is it that you are trying to accomplish?

• Is a policy the right tool for the job?

• How will a policy help the situation?

• How will you share/communicate it?

• Who will own, maintain, and enforce it?

• What about exceptions and violations?

• What‟s the organizational culture like?

• What can you get away with?


Audience Analysis• Who is your intended audience?

• Any similarities between audience members?

• Any differences between audience members?

• What do the audience members do?

• What‟s important to this audience?

• How busy is this audience?

• What is expected of them?

• What else?


Message Framing• Think about the purpose and context…

• Think about the audience members…

• What‟s the behavior you want to influence?

• How would you describe the desired behavior?

• How will you measure a shift in that behavior?

• What‟s the basic message you need to convey?

• What‟s the long form of that message – details?

• How can you boil it down to 3 to 5 sentences?


Using The Right Language• Still keeping all of the former steps in mind…

• How would you convey your message to:

– Your child, your grandparents, your clueless uncle Bob

• How would you TALK to someone about it?

• Rewrite your message to be conversational

• Write for the „lowest common denominator‟

• Keep it short, sweet, and to the point!

• Engage the audience with your message!


Leverage Visuals• Visuals are not typical in most policy documents

• These are usually reserved for „awareness‟ efforts

• “A picture paints a thousand words” though

• Do you want to write a thousand words?

• Do you expect people to read a thousand words?

• Good visuals can really help – even in policies!

• Make sure they are relevant and appropriate

• Don‟t go overboard…


Educate and Entertain• Try inserting some levity and irreverence…

• Your audience is more likely to read your policies

• People learn better when they are entertained

• Levity inspires confidence, trust, and creativity

• Companies that use levity outperform others

• It really all depends on your corporate culture

• You don‟t need to be a comedian – just fun

• Like visuals, keep it relevant and appropriate


Simplify Everything• Only write policies that need to be written

• Get rid of all the „fluff‟ – it‟s unnecessary!

• Create a [fun] security handbook to use

• Put a memorable title on your handbook

• Organize it by what people need to DO!

• Remember, employees are busy people

• Security is NOT their top priority – accept it!

• Blur the lines between policies and awareness


Give Them a Tool• The policy document isn‟t your end-point

• Your handbook is just one way to move forward

• Add quick references, cheat sheets, check lists

• Anything that can make security easier for folks

• The BEST tool is a well done website – easily found

• Simple screen „What Are You Trying to Do?‟

• Take a „nested‟ approach to „navigation‟

• Get feedback and make improvements!!!


An Example for Dummies• Look at the success of the „for Dummies‟ series

• Their books embody everything here (and more)– “From the start, For Dummies was a simple, yet powerful

concept: Relate to the anxiety and frustration that people feel about technology by poking fun at it with books that are

insightful and educational and make difficult material

interesting and easy. Add a strong dose of personality, a

dash of comic relief with entertaining cartoons, and — voilá — you have a For Dummies book.”

• An invaluable approach to security policies


The Parts of Tens• The last section of any „for Dummies‟ book

• Essentially a „top 10 list‟ on a particular topic

• Each item has an entertaining title

• Includes a brief, amusing summary

• Often closes out with a „tip‟

• Probably the single best model to follow

• Imagine if security policies were written this way

• Hmmm… People might actually read them!!!


“I Object”• What are some common objections?

– Security is serious business

– You can‟t write funny policies

– You can‟t hold people accountable using these

– You can‟t meet compliance requirements using these

– Auditors/legal departments/executives may not like them

• Getting past these objections

– First, who are you really writing these policies for?

– You want people to read and understand them, right?


The End Justifies the Means• In the end, policies are about setting expectations

• They‟re put in place to help (not hinder) people

• We can do more – we can do better!!!

• Remember:

– A GOOD policy is one that people READ!

– A GOOD policy is one that people UNDERSTAND!

– A GOOD policy is one that people FOLLOW!


Questions???



Brad Bemis is the Principle Security Consultant for Network Computing Architects (NCA) in Bellevue

WA, and has over 20 years of practical experience in IT and information security. He is also a Certified

Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA),

Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional

technology-centric certifications from Cisco, Microsoft, and CompTIA.

Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of

Science in Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in

graduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology.

Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in

roles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between).

Although highly skilled across multiple security disciplines, his main passion is information security awareness and training –

evangelizing the message and engaging others. He is also very active in the security community, including: contributions to

the Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and

the Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several other

professional associations, sharing insights and experience across a number of on-line security forums, and much much more.

Additional information can be found on Brad's professional blog at www.secureitexpert.com.

About the Author:

http://www.secureitexpert.com/


NCA’s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in

Bellevue WA, Portland OR, and Las Gatos CA. We offer a wide range of professional security services that can be scaled

and customized to meet the business needs of any organization. Our major core competencies include:

• Program Management: Building and managing a holistic information security program.

• Governance: Incorporating security into enterprise or IT governance frameworks.

• Risk Management: Measuring and managing information security and other related risks.

• Compliance: Ensuring that all internal and external requirements are being met.

• Identity & Access Management: Managing identities and permissions for systems and users.

• Perimeter Defense & Firewall Management: Defending the borders between networks.

• Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices.

• Virtualization & Cloud Computing: Migrating customers to the cloud safely and securely.

• Event Management & Incident Response: Detecting and responding to security incidents.

• Awareness & Training: Engaging people in the process of security on a daily basis.

Through a number of strategic partnerships we can also deliver additional services in the areas of:

• Managed Services: Managing the day-to-day operational security of information systems.

• Application Security & Penetration Testing: Validating controls for business applications.

• Business Continuity & Disaster Recovery: Sustaining the business during emergencies.

About NCA’s Information Security Practice:

Learn more today at http://ncanet.com

Or call 877-KNOW NCA (877-566-9622)

http://ncanet.com/