A number of people have asked me for suggestions of third party online references which provide guidance upon how to make better security policies. Clearly Risk and Security policy should be the foundation of all things security in each of our organisations and yet in many cases security policies fail horribly. Here are some of the reasons why policies often fail:

  • The policy was "set in stone". However well it's written a security policy must be frequently reviewed and updated to match how your business actually works. Business isn't static, nor should your policy.
  • Security policy should be the reason WHY you need to implement technical security controls
  • A policy without consequences is worthless. "Why should I comply" is something that should be clearly stated in the policy
  • A policy that's so complex that few people understand it is worthless
  • A policy that's not accessible to ALL of your users is worthless
  • If your users think "this is a stupid policy" then either IT IS OR it's not clearly explained to them
  • A security policy is worthless unless your users are security aware

I found the following links from Steve Riley's security policy session @ IT Forum:

Information Security Policies Made Easy, 9/e by Charles Cresson Wood

Information Security Policy World

SANS Security Policy Project

Site Security Handbook