Security policies are written to counter either known or notional risk. They set the rules by which organizations can manage their governance, risk, and compliance as they relate to information assurance. Policies provide protection for individuals and organizations by ensuring everyone knows what should be done in a particular situation. (“It wasn’t my fault – I was just following policy!”)
Unfortunately, today’s security policies don’t do such a good job. Perhaps it’s because they have become unwieldy. Policies these days are long documents filled with unreadable language; likely due to the fact they are cobbled together with input from disparate groups with disparate goals (including human resources, legal, and information technology experts). While policies are meant to ensure everyone knows what to do, by being so lengthy and unreadable, nobody bothers to read them.
The goal of Prioritized Policy™ is to make security policy more relevant and actionable to every individual in an organization.
Creating a Prioritized Policy™ happens in three steps:
- The first is to simplify policy to the extent possible, removing “legalese” and anything difficult to understand.
- The next step is to apply perspective to policy, ensuring that each individual gains an awareness of the policies that apply in their particular situation or role.
- The final step is to prioritize policies according to business needs, capabilities, risk tolerance, and current threats, so that every policy statement doesn’t carry the same weight.
Current policies are often used as a weapon to force users and organizations into compliance through threat of some penalty. (And their size and weight tends to make them pretty good weapons, at that.) A well-developed Prioritized Policy™ can be used instead as a tool to raise security awareness within an organization, connecting individuals to the consequences of their actions. Rather than the security department constantly attempting to protect people from themselves, a strong security awareness program can allow individuals to take responsibility for their actions, and be held accountable.