|
|
SLAC Computer Security | ||
| SLAC Home | Computing Home | Computing Outages | Help | |||
Cyber Security Awareness Month
These tips are part of a month long effort to distribute useful computer security information to the SLAC community.
- Day 6 - Developing and Distributing Policies
OK, so learning about developing policies isn't really that exciting... You might be right about that. However, policies are a necessary part of any business. What follows are some suggestions from the SANS Internet Storm Center staff.
- Make sure you have senior management support.
- Write SMART policies. Specific, Measurable, Achievable, Realistic, Time based policies.
- Keep the audience in mind when writing policies.
- If it doesn’t have the word MUST in it maybe move it to a guideline or standard. Or in other words keep policies as policies, guidelines as guidelines and procedures as procedures. You’ll only confuse the message if you mix them.
- Make sure you have a compliance statement, people need to know what happens if the policy is not followed.
- Make sure it is available to everyone.
- Regularly review the policy.
- Get legal to check them out.
- Collaborate with stakeholders in developing the policy.
- Make sure you cover items of specific risk in the organisation.
- Make sure the policy is in line with the corporate objectives and overall security posture.
- Get people to sign that they have read and understood the polices.
- Reinforce the message regularly.
After writing the polices you will need to make sure it is disseminated. There have been plenty of examples over the years where people have been sacked and then re-instated because of weak or policies that weren’t enforced or enforced inconsistently. The traditional methods are publishing on the intranet, as part of the induction process, document management systems, etc. A good idea is to develop a quiz which must be taken by staff. That way the lessons are reinforced and you have a register of who has read and understood the policy.
Owner: SLAC Computer Security |