How Important is Policy Anyway?
Last Updated 13 March 2006
One of the things I hear from every security practicioner is that you must have a policy and that policy is the cornerstone on which all security is built. To some extent this is true, but it's important to understand why so that (as security practioners) we can put things in perspectice.
To illustrate - I've seen organisations (generally fairly small) without any form of policy document who seem to manage their security very well. I've also seen organisations with incredibly formal policy document suites who have failed in implementing security consistently.
Moreover I've seen cases where people are concentrating on getting the policy "right" to the detriment of actually implementing any security controls. Talking about security is great - but that's all policy does - it talks about it. You still need to back it up with actual measures.
Over many years of observing different stages of policy maturity I've come to the conclusion that good policy is generally a symptom of a well run security organisation, not a cause. Note also that I don't say policy documentation. There are plenty of organisations out there without any formal security policy in place who still manage to implement good security practices. In such cases it generally means there is a person or a small group of people who understand where they want the organisation to be from a security perspective, and who are controlling or influencing all changes and decisions within the organisation to ensure that the security direction is being followed. This doesn't scale, but it does work very well for small organisations - until the key person or group of people leave.
The Benefits of Policy
So, if policy is not the be-all and end-all of security, why bother? The following (non-exhaustive) list provides some of the positives I've seen flowing from policy in an organisation.
It puts the business in control (and keeps your security people under control!)
Too much security is often just as bad as too little. But in large organisations, it is often hard to balance security and business. This is particularly true given the average security person has a technical (i.e. not business) background and a high level of paranoia.
Moreover a good security person is by nature risk averse. We are not generally in the business of accepting risk for the company we are working for. Rather we are doing our best to remove those risks entirely.
And that's where policy comes in. Traditionally we think of policy as being "what is not permitted in this organisation". But it can also indicate "this is what is permitted in this organisation".
So good policy puts the business back in control of high level security decisions. It recognises that (except in rare circumstances) the organisation's objective is not actually security - and that to achieve the objective, security must sometimes play second fiddle.
It simplifies decision making
For detailed technical issues - policy won't give you the answers (standards may - but that's for another day). However it will dictate who has to be involved, or what process a decision needs to go through.
It provides for consistent security
As an organisation grows, an enforced policy ensures a consistent approach is taken to security. This becomes increasingly important as the network grows and the number of systems being administered grows. During an attack or a virus outbreak, an area that has slipped under the policy radar can impact all other areas in the organisation.
What policy does not provide
So if policy can deliver on consistent and sound decision making - what doesn't it give you?
Policy does not deliver security. It provides the basis for security, but it doesn't mean diddly if it's not backed up with measures and controls that actually implement what the policy requires.
This seems really obvious - but it's amazing how many people spend months working on a policy when it's really clear they have a massive hole in their firewall infrastructure that is probably far more important in terms of getting fixed.
No matter whether your organisation is big or small, nimble or slow, play safe or risk taking - the culture will drive security. There are organisations where the policy documentation set is fantastic, but the implementation of the policy is dreadful. If the culture of an organisation does not see security as important, then no amount of documentation writing is going to fix the problem.
Fixing culture is an incredibly hard thing to do. Policy is a tool in the arsenal for fixing this one, but it requires more than just policy. I'll leave this one as another discussion for another day.
Related to culture, the question of authority often comes up when policy is discussed. "If we can get this policy in place it will give us the authority we need to get security right!".
What a bl**dy furphy that is. Good policy flows from authority, not the other way around. If the CEO doesn't buy into the concepts behind what you are trying to achieve, no amount of document writing is going to overcome the fact that the CEO will continue doing things her/his way. And people will watch what the CEO does and take their cues from those actions.