So, let's talk a little bit about elements
of good policy.
Number one on my list driven directly by
business requirements.
It will enable productivity by allowing
secure access to information resources.
One of,
One of the things that we, as computer
security professionals typically do wrong.
A, we used the wrong language in
describing what we're trying to do.
B, maybe we're using the right language in
the wrong way.
So, if I walk into a, a group of my peers
or executives and I start talking about
this new initiative where we're going to
protect these laptops that are
unfortunately, flying off the shelves or
out of our cars.
And I start by saying well, what we need
to do is prevent X, keep Y from happening
and make sure that we absolutely stop Z.
What the executive is hearing is, he is
preventing stopping in all kinds of ways
making stuff not happen.
That's not their world.
Their world is about making things happen.
Their world is about making the needs of
the business come first.
And those business requirements happen in
the smooth as possible way.
So, when you chart, when you start out in
negative terms.
When you start out defining things that
won't happen.
And things that must not be.
They're not hearing any of what you say.
They're just hearing that you're a big
preventer.
Alright if when that's the case you're,
you're not going to be able to make your
case.
So, you know a good policy is, is an
enabler.
Good policy says hey look a this we found
a secure way to actually allow all you
people out there to run around with your
laptops like you always have.
If we weren't able, what you are not
seeing in this policy is if we weren't
able to find that secure way,
We'd be asking you for your laptops back
because we can't have this keep happening,
You know, let the firings begin.
So.
I think good policy is clear, and, and,
and usually short.
My customers.
I, I develop a lot of policy for my
customers.
They're always surprised by how brief I
typically make them.
I'm, I'm always striving to make short
statements that completely make sense to
everybody that reads them, in terms of
policy.
When we start talking about the technical
stuff, when we get into procedures,
guidelines, and all that kind of stuff,
then we can get into all the geeky
technical stuff that must happen to make
this policy work.
But when it's about the policy,
I've personally have never written a
policy that was more than two pages long,
about a specific thing.
If you can't describe the thing you want
to happen in two pages, you've, taken on
the wrong thing, essentially.
You, you, you're going about it the wrong
way.
You need to break it down a little bit
further such that you can make simple
policy statements that people understand.
A corollary to that is it should be
measurable.
When I'm, when I'm talking about
measurability here, I'm talking about the
ability to measure compliance.
Then we'll, we'll get into a lot of, more
about that when I start talking about
maturity models and, and how maturity
models relate to policy but the simplest
way to think of this is that if you have a
policy, and you think that policy is in
place, and the people understand it, and
that it's actually doing what it's
supposed to be doing.
You don't actually know that unless you
can actually measure compliance.
Unless you can look at It's amazingly
annoying.
Unless you can actually look at this
policy and how people are behaving in
relationship to the policy and say, well
this is how well the policy's doing.
Or hey, the policy's not, you know?
People either don't understand it, they
don't know it.
Or they do understand it and they know it
and they're not complying.
What's the number one reason that people
don't comply to policy?
Complexities is one.
It's not the top of my list but it's, it's
near the top.
We weren't told it in the first place.
Well now I've sure told it.
In the back.
[inaudible].
Inconvenience.
That is the number one reason that people
do not adhere to policy.
And, that inconvenience typically I,
interestingly enough, most of us wanna try
to do our job.
The inconvenience is typically related to,
this policy makes it hard, impossible,
difficult to do the thing that you hired
me to do.
So I am going to ignore it.
So, you have to avoid all of that kind of
mess.
Good policy has to be enforceable.
What we mean by enforcement is going to
vary actually from company to company,
organization to organization.
But you have to actually have some way of
saying you must accomplish this thing that
we have asked you to do, or, there are
consequences alright?
The variability for that is, is industry
variability. It's regulatory compliance
variability.
There's lots and lots of reasons that
that's not the same for everybody.
Number five on my list,
And I invented a word for this.
It's regulatorily correct." The
spellchecker didnt like that.
Obviously what I mean though is that
policy itself must reflect any regulations
that actually drive what your business
must do.
Raise your hand if you're in an industry
that has no federal regulations regarding
your security policy.
Wow.
I asked that exact same question about
three years ago.
And three-quarters of the class raised
their hands.
Until one by one I explained what,
regulation, what federal agency cared
about them.
It's almost never been true, but it's
certainly not true now.
Hyppa. Gramm-Leach-Bliley.
What's another, who haven't I got?
Socks.
Socks, of course, that's all of you that
are public.
Any other fun ones that I'm missing?
Icar, ITAR, ITAR? .
All of you Boeing people are e, expoing
people.
[inaudible] [laugh].
You took your laptop and left.
[inaudible].
[laugh] So, okay, and again, the category
of, of, of the list we are going through
right now is elements of good policy,
those were mine.
What are yours?
What else should good policy have?
I listed everything.
Yes.
We did a review.
Absolutely.
Good policy, and actually good maturity in
your policy, requires regular review.
Yes.
I was going to say accessibility.
In other words, it's got to be, people
have to be able to find it and read it.
Accessibility is critical.
The, the idea that you're going to
generate a bunch of policy and you know,
print it and then put it on a shelf for
somebody to come and you know, at their
leisure come and read is never going to
happen.
Beyond accessibility I would actually try
to take up the next step and I'm not sure
what they call this but essentially,
mandatory accessibility.
You have to make sure that people are
exposed to your policy.
You can't just make it available and say,
look, you know what, we wrote 800 pages of
policy and it's on this internal link to
this web server.
Please, everybody go read it.
How many would?
Everybody in this class would, of course,
because you're directly involved and care
a lot about these sorts of things but none
of your peers would.
You absolutely must make sure that they
read it.
Given that scenario, given the scenario of
an internet server and you've made it
available.
Any ideas on how, how you would enforce
that, or how you would assure?
Yes.
The agreements are on hiring and
orientation.
Orientation, new employee orientation is a
good place to have people at least sign a
piece of paper saying that they read the
last 400 pages and they agreed to
everything in it.
Yes.
In my company they put it on video and
they track everyone who's viewed it.
Once you've watched them all you get a
little certificate of completion.
It's not real but it's like tracked and if
you don't do it they harass you and your
manager until you do it.
And, so, they have 90, over 99 compliance
in people viewing the latest training on
it.
So.
A technology company, they actually are
tracking probably electronically whether
or not you've clicked on the view this
video link.
They didn't track whether or not you
walked away from your desk while you're.
It's like.
How many of, how many viewings actually
started at eleven:5959.
Nobody tracked that part?
Yes, in the back, and then you.
[inaudible].
We had a, for a sexual harassment
training, we had to take some tests.
We had to watch some videos on some
website, and then take a test afterwards
regarding each of these.
And it went into quite a bit of time.
It was spread out over, like, a couple
weeks or something.
Tests are fantastic.
A fantastic way to assure that somebody's
actually, not only read something, but
understood it.
Let me get back to that in a moment.
Go ahead.
[inaudible].
Our interactive training system.
And it does have tests embedded in the
viewing.
So, unless you take somebody else's, which
nobody's going to do,
Right?
And I know we have a lawyer in the room,
who is it?
[inaudible].
Ted's not here?
No lawyer in the room.
There's a very interesting thing going on
right now in the sort of, click-through
agreements, which is that.
The courts are, and I wish it was here
actually to correct me because I am sure I
am wrong on this.
But the courts are getting a little wishy
washy on whether or not any of that is of
any value.
So, yes.
[inaudible] because, just because
somebody's indicated that they have put
through a page or they've accepted that
page does not ensure that, that content
hasn't changed.
So what have they accepted?
And that's not necessarily a static thing.
Agreed.
Although even the static stuff.
People are wondering whether or not it's
reasonable to assume that you did actually
read all twenty pages of legal mumbo jumbo
before you clicked on the yes.
I'm going to okay this because that means
I can now use XP.
Yes.
I've researched this.
It's less than zero, probably.
001.. People might, some people will
possibly start to read it, and then they
will scroll and see how long it is and
give up.
But no one, I've never seen anyone
actually put in the effort to read it.
And that's with someone watching them and
them wanting to please me.
[inaudible].
Huh?
Who [inaudible].
Yeah, lawyers.
Actually they read chunks of it.
Maybe it's five or six of them and they
all put it together, so none of them read
the whole thing.
That, and, there's, there's a few perverse
people out there in the world, who
actually, I, I think they're kind of, good
examples of creative writing.
And I read them because I, I'm amused by
some of the stuff they put in there about
the fact that you know they're not
responsible with it, you know, if.
Good example, Windows Vista, if Windows
Vista explodes, and the parts fly
throughout the room.
Completely obliterate all life.
Windows is and Microsoft is not
responsible.
Absolutely guaranteed.
It's, it's definitely on like page 30.
The whole explosion part.
Isn't there something in here about the
wind blows and the tree falls.
That Microsoft isn't.
Certainly not responsible.
So, not very many people are like me.
Not very many people actually think that's
a muse in reading.
They actually just page down as far as
they can and click on the, it's okay
button.
Most amusing thing I think I ever saw in
one of those was actually that somebody
programmatically looked at how long it
took between displaying the first page and
you clicking on the Okay.
And if it wasn't long enough.
They just said, "Look, you didn't read
that.
Go back and try again." [laugh] I, I
thought that was hilarious.
But.
And that's why testing, actually, starts
as starts to around a little bit of this.
I can't imagine what would happen if some
of the longer click through agreements
started asking okay, so, under limited
liability.
Were we a liable for any pet deaths in
your family?
[laugh] So these sorts of things are
actually starting to, to change the way we
look at stuff.
I really, really like by the way new
employee orientation and new employee
agreements with tests.
I'm starting to see places that actually
implement.
You must read all of this stuff, all of
these policies, procedures and how do we
do business and so on and so forth.
And, sometime within the next couple of
days your going to have to take a test on
it, and pass or you're not an employee.
So,
Anything, any other by the way, all great
elements of good policy.
Yes?
[inaudible].
Absolutely.
You have to have something to back it up.
If, I merely suggest to all of you that
you don't take employee data, and
willy-nilly, start flapping around the
internet.
And I'm not prepared to do anything about
it if you do.
The policy has no effect.
It has, it has really no, no teeth.
Yes.
I think policy should be enforced at all
levels of the organization.
So senior management is responsible for
living up to that policy as well as junior
staff.
We've had situations where political
content, for instance, was sent through
the email to employees regarding certain
initiatives from senior management.
And it was pointed out to them, you
realize you just made a policy
unenforceable.
Yeah.
[inaudible].
And then, that's actually.
And, and who do, I won't even ask who you
work for.
A healthcare organization.
A healthcare organization.
[inaudible] That's what the issue is.
Interesting.
That, I see that a lot more in smaller
organizations, you know, organizations of,
of few 1000 people and less where the
management of the organization is not used
to having to kind of put up with this
uniformity of policy enforcement.
Larger organizations usually kind of get
it.
Not always.
I mean there's.
[inaudible].
Yeah, yeah.
It's so, it is absolutely.
It is very, very important that people
realize that policy is enforced from the
top to the bottom.
In fact, it's you know, emanates from
business requirements set by the people at
the very top.
So, if those business requirements
dictated this policy.
And they violate policy.
Either the business requirements weren't
accurate in the, in the first place.
Or they're actually count, acting
countered to the best interest of the
company, or the organization.