-
So, let's talk a little bit about elements
of good policy.
-
Number one on my list driven directly by
business requirements.
-
It will enable productivity by allowing
secure access to information resources.
-
One of,
One of the things that we, as computer
-
security professionals typically do wrong.
A, we used the wrong language in
-
describing what we're trying to do.
B, maybe we're using the right language in
-
the wrong way.
So, if I walk into a, a group of my peers
-
or executives and I start talking about
this new initiative where we're going to
-
protect these laptops that are
unfortunately, flying off the shelves or
-
out of our cars.
And I start by saying well, what we need
-
to do is prevent X, keep Y from happening
and make sure that we absolutely stop Z.
-
What the executive is hearing is, he is
preventing stopping in all kinds of ways
-
making stuff not happen.
That's not their world.
-
Their world is about making things happen.
Their world is about making the needs of
-
the business come first.
And those business requirements happen in
-
the smooth as possible way.
So, when you chart, when you start out in
-
negative terms.
When you start out defining things that
-
won't happen.
And things that must not be.
-
They're not hearing any of what you say.
They're just hearing that you're a big
-
preventer.
Alright if when that's the case you're,
-
you're not going to be able to make your
case.
-
So, you know a good policy is, is an
enabler.
-
Good policy says hey look a this we found
a secure way to actually allow all you
-
people out there to run around with your
laptops like you always have.
-
If we weren't able, what you are not
seeing in this policy is if we weren't
-
able to find that secure way,
We'd be asking you for your laptops back
-
because we can't have this keep happening,
You know, let the firings begin.
-
So.
I think good policy is clear, and, and,
-
and usually short.
My customers.
-
I, I develop a lot of policy for my
customers.
-
They're always surprised by how brief I
typically make them.
-
I'm, I'm always striving to make short
statements that completely make sense to
-
everybody that reads them, in terms of
policy.
-
When we start talking about the technical
stuff, when we get into procedures,
-
guidelines, and all that kind of stuff,
then we can get into all the geeky
-
technical stuff that must happen to make
this policy work.
-
But when it's about the policy,
I've personally have never written a
-
policy that was more than two pages long,
about a specific thing.
-
If you can't describe the thing you want
to happen in two pages, you've, taken on
-
the wrong thing, essentially.
You, you, you're going about it the wrong
-
way.
You need to break it down a little bit
-
further such that you can make simple
policy statements that people understand.
-
A corollary to that is it should be
measurable.
-
When I'm, when I'm talking about
measurability here, I'm talking about the
-
ability to measure compliance.
Then we'll, we'll get into a lot of, more
-
about that when I start talking about
maturity models and, and how maturity
-
models relate to policy but the simplest
way to think of this is that if you have a
-
policy, and you think that policy is in
place, and the people understand it, and
-
that it's actually doing what it's
supposed to be doing.
-
You don't actually know that unless you
can actually measure compliance.
-
Unless you can look at It's amazingly
annoying.
-
Unless you can actually look at this
policy and how people are behaving in
-
relationship to the policy and say, well
this is how well the policy's doing.
-
Or hey, the policy's not, you know?
People either don't understand it, they
-
don't know it.
Or they do understand it and they know it
-
and they're not complying.
What's the number one reason that people
-
don't comply to policy?
Complexities is one.
-
It's not the top of my list but it's, it's
near the top.
-
We weren't told it in the first place.
Well now I've sure told it.
-
In the back.
[inaudible].
-
Inconvenience.
That is the number one reason that people
-
do not adhere to policy.
And, that inconvenience typically I,
-
interestingly enough, most of us wanna try
to do our job.
-
The inconvenience is typically related to,
this policy makes it hard, impossible,
-
difficult to do the thing that you hired
me to do.
-
So I am going to ignore it.
So, you have to avoid all of that kind of
-
mess.
Good policy has to be enforceable.
-
What we mean by enforcement is going to
vary actually from company to company,
-
organization to organization.
But you have to actually have some way of
-
saying you must accomplish this thing that
we have asked you to do, or, there are
-
consequences alright?
The variability for that is, is industry
-
variability. It's regulatory compliance
variability.
-
There's lots and lots of reasons that
that's not the same for everybody.
-
Number five on my list,
And I invented a word for this.
-
It's regulatorily correct." The
spellchecker didnt like that.
-
Obviously what I mean though is that
policy itself must reflect any regulations
-
that actually drive what your business
must do.
-
Raise your hand if you're in an industry
that has no federal regulations regarding
-
your security policy.
Wow.
-
I asked that exact same question about
three years ago.
-
And three-quarters of the class raised
their hands.
-
Until one by one I explained what,
regulation, what federal agency cared
-
about them.
It's almost never been true, but it's
-
certainly not true now.
Hyppa. Gramm-Leach-Bliley.
-
What's another, who haven't I got?
Socks.
-
Socks, of course, that's all of you that
are public.
-
Any other fun ones that I'm missing?
Icar, ITAR, ITAR? .
-
All of you Boeing people are e, expoing
people.
-
[inaudible] [laugh].
You took your laptop and left.
-
[inaudible].
[laugh] So, okay, and again, the category
-
of, of, of the list we are going through
right now is elements of good policy,
-
those were mine.
What are yours?
-
What else should good policy have?
I listed everything.
-
Yes.
We did a review.
-
Absolutely.
Good policy, and actually good maturity in
-
your policy, requires regular review.
Yes.
-
I was going to say accessibility.
In other words, it's got to be, people
-
have to be able to find it and read it.
Accessibility is critical.
-
The, the idea that you're going to
generate a bunch of policy and you know,
-
print it and then put it on a shelf for
somebody to come and you know, at their
-
leisure come and read is never going to
happen.
-
Beyond accessibility I would actually try
to take up the next step and I'm not sure
-
what they call this but essentially,
mandatory accessibility.
-
You have to make sure that people are
exposed to your policy.
-
You can't just make it available and say,
look, you know what, we wrote 800 pages of
-
policy and it's on this internal link to
this web server.
-
Please, everybody go read it.
How many would?
-
Everybody in this class would, of course,
because you're directly involved and care
-
a lot about these sorts of things but none
of your peers would.
-
You absolutely must make sure that they
read it.
-
Given that scenario, given the scenario of
an internet server and you've made it
-
available.
Any ideas on how, how you would enforce
-
that, or how you would assure?
Yes.
-
The agreements are on hiring and
orientation.
-
Orientation, new employee orientation is a
good place to have people at least sign a
-
piece of paper saying that they read the
last 400 pages and they agreed to
-
everything in it.
Yes.
-
In my company they put it on video and
they track everyone who's viewed it.
-
Once you've watched them all you get a
little certificate of completion.
-
It's not real but it's like tracked and if
you don't do it they harass you and your
-
manager until you do it.
And, so, they have 90, over 99 compliance
-
in people viewing the latest training on
it.
-
So.
A technology company, they actually are
-
tracking probably electronically whether
or not you've clicked on the view this
-
video link.
They didn't track whether or not you
-
walked away from your desk while you're.
It's like.
-
How many of, how many viewings actually
started at eleven:5959.
-
Nobody tracked that part?
Yes, in the back, and then you.
-
[inaudible].
We had a, for a sexual harassment
-
training, we had to take some tests.
We had to watch some videos on some
-
website, and then take a test afterwards
regarding each of these.
-
And it went into quite a bit of time.
It was spread out over, like, a couple
-
weeks or something.
Tests are fantastic.
-
A fantastic way to assure that somebody's
actually, not only read something, but
-
understood it.
Let me get back to that in a moment.
-
Go ahead.
[inaudible].
-
Our interactive training system.
And it does have tests embedded in the
-
viewing.
So, unless you take somebody else's, which
-
nobody's going to do,
Right?
-
And I know we have a lawyer in the room,
who is it?
-
[inaudible].
Ted's not here?
-
No lawyer in the room.
There's a very interesting thing going on
-
right now in the sort of, click-through
agreements, which is that.
-
The courts are, and I wish it was here
actually to correct me because I am sure I
-
am wrong on this.
But the courts are getting a little wishy
-
washy on whether or not any of that is of
any value.
-
So, yes.
[inaudible] because, just because
-
somebody's indicated that they have put
through a page or they've accepted that
-
page does not ensure that, that content
hasn't changed.
-
So what have they accepted?
And that's not necessarily a static thing.
-
Agreed.
Although even the static stuff.
-
People are wondering whether or not it's
reasonable to assume that you did actually
-
read all twenty pages of legal mumbo jumbo
before you clicked on the yes.
-
I'm going to okay this because that means
I can now use XP.
-
Yes.
I've researched this.
-
It's less than zero, probably.
001.. People might, some people will
-
possibly start to read it, and then they
will scroll and see how long it is and
-
give up.
But no one, I've never seen anyone
-
actually put in the effort to read it.
And that's with someone watching them and
-
them wanting to please me.
[inaudible].
-
Huh?
Who [inaudible].
-
Yeah, lawyers.
Actually they read chunks of it.
-
Maybe it's five or six of them and they
all put it together, so none of them read
-
the whole thing.
That, and, there's, there's a few perverse
-
people out there in the world, who
actually, I, I think they're kind of, good
-
examples of creative writing.
And I read them because I, I'm amused by
-
some of the stuff they put in there about
the fact that you know they're not
-
responsible with it, you know, if.
Good example, Windows Vista, if Windows
-
Vista explodes, and the parts fly
throughout the room.
-
Completely obliterate all life.
Windows is and Microsoft is not
-
responsible.
Absolutely guaranteed.
-
It's, it's definitely on like page 30.
The whole explosion part.
-
Isn't there something in here about the
wind blows and the tree falls.
-
That Microsoft isn't.
Certainly not responsible.
-
So, not very many people are like me.
Not very many people actually think that's
-
a muse in reading.
They actually just page down as far as
-
they can and click on the, it's okay
button.
-
Most amusing thing I think I ever saw in
one of those was actually that somebody
-
programmatically looked at how long it
took between displaying the first page and
-
you clicking on the Okay.
And if it wasn't long enough.
-
They just said, "Look, you didn't read
that.
-
Go back and try again." [laugh] I, I
thought that was hilarious.
-
But.
And that's why testing, actually, starts
-
as starts to around a little bit of this.
I can't imagine what would happen if some
-
of the longer click through agreements
started asking okay, so, under limited
-
liability.
Were we a liable for any pet deaths in
-
your family?
[laugh] So these sorts of things are
-
actually starting to, to change the way we
look at stuff.
-
I really, really like by the way new
employee orientation and new employee
-
agreements with tests.
I'm starting to see places that actually
-
implement.
You must read all of this stuff, all of
-
these policies, procedures and how do we
do business and so on and so forth.
-
And, sometime within the next couple of
days your going to have to take a test on
-
it, and pass or you're not an employee.
So,
-
Anything, any other by the way, all great
elements of good policy.
-
Yes?
[inaudible].
-
Absolutely.
You have to have something to back it up.
-
If, I merely suggest to all of you that
you don't take employee data, and
-
willy-nilly, start flapping around the
internet.
-
And I'm not prepared to do anything about
it if you do.
-
The policy has no effect.
It has, it has really no, no teeth.
-
Yes.
I think policy should be enforced at all
-
levels of the organization.
So senior management is responsible for
-
living up to that policy as well as junior
staff.
-
We've had situations where political
content, for instance, was sent through
-
the email to employees regarding certain
initiatives from senior management.
-
And it was pointed out to them, you
realize you just made a policy
-
unenforceable.
Yeah.
-
[inaudible].
And then, that's actually.
-
And, and who do, I won't even ask who you
work for.
-
A healthcare organization.
A healthcare organization.
-
[inaudible] That's what the issue is.
Interesting.
-
That, I see that a lot more in smaller
organizations, you know, organizations of,
-
of few 1000 people and less where the
management of the organization is not used
-
to having to kind of put up with this
uniformity of policy enforcement.
-
Larger organizations usually kind of get
it.
-
Not always.
I mean there's.
-
[inaudible].
Yeah, yeah.
-
It's so, it is absolutely.
It is very, very important that people
-
realize that policy is enforced from the
top to the bottom.
-
In fact, it's you know, emanates from
business requirements set by the people at
-
the very top.
So, if those business requirements
-
dictated this policy.
And they violate policy.
-
Either the business requirements weren't
accurate in the, in the first place.
-
Or they're actually count, acting
countered to the best interest of the
-
company, or the organization.