Hidden Benefits of a Bad-Ass Infosec Policy

Most large companies have a strict information security policies. They do it to comply with legal obligations and to minimize liability concerns (e.g. HIPAA, GLB, PCI, etc). The smart executive knows that a data breach can be expensive and damaging, just ask Heartland Payment Systems, the Veteran’s Administration or TJ Maxx. Start-ups also should understand that compliance and liability concerns aren’t just for large companies. Everyone, big and small, should be worried about this stuff.

A lawyer would probably advise that a company need only meet the minimum requirements to mitigate risks and comply with the law. However, I’m suggesting you do the opposite. Go out and get the most challenging, restrictive and detailed policy you can find (a.k.a. “a bad-ass information security policy”™). Start from there and work your way back to whatever is manageable (and hopefully more than the minimum). It’s worth it.

I’m at the tail end of a long process of improving the information security policy for the IAPP. We currently have a perfectly adequate policy in place, and certainly nothing to be ashamed of or worried about, but, with some sage advice from Brian Tretick, we’re working to do better.

The process of starting with the very thorough policy Brian gave me was an eye-opener. When I started to work from a model policy that, if followed to the letter, would make the IAPP fully PCI and HIPAA compliant (as well as compliant with other regulations), I started to see all sorts of projects we could/should tackle. Projects that would make us smarter, safer and give us a stronger technology foundation from which to grow. And, surprisingly, many of which weren’t that difficult nor expensive.

In fact, I uncovered a list of projects to improve my department, some of which I don’t believe I ever would have considered if I was just thinking about what was required. It also gave me motivation to enforce some things that I knew I should be doing but “hadn’t gotten around to yet.”

A short list of some of the things I tackled:

None of these were too difficult. However, there are somethings in the model policy that were just a bit too much for an organization with less than 50 employees. For example (from the model policy):

Company will document repairs and modifications to the physical components of a facility that are related to security

Or are too much of a change in our current culture:

Other e-mail, including any administrative or personal e-mail, should be deleted 30 days after it is received or created.

Then there are those things that might be good practice but aren’t required and either cost too much to implement or required too much from the employees (I’d rather not discuss those).

Make no mistake, going through this process is a burden on the organization and there are real costs in time and productivity to implement such a policy so take caution with what you pick and choose to implement. But I’ve found that so much of what I was missing wasn’t that hard to implement.

TrueCrypt makes it easy to create encrypted partitions on laptops. Alfresco helps with versioning and securing sensitive documents. Logwatch let’s us know when changes to a system have been made. Finally, requiring a formal a disaster recovery plan had me detailing our system, calling vendors to get costs and training users on the details of the policy which has allowed me to gain insight on details that I otherwise might have overlooked.

Having said all that, I must admit that this process wasn’t fun. I didn’t enjoy writing documentation, restricting users or making plans for the worst, but the process was a tremendous learning exercise and is proving to have tangible benefits for the organization as well. I highly recommend anyone with information management responsibilities to find a information security policy template and let it put you through your paces.


Now read this

50 Shades of the Privacy Profession

Note: This is a piece I wrote for the International Association of Privacy Professionals Privacy Tech blog. I was asked the other day by a reporter to define “privacy professional.” I provided some over-long response describing how those... Continue →