0:00:00.000,0:00:04.900
So, let's talk a little bit about elements[br]of good policy.

0:00:07.300,0:00:12.200
Number one on my list driven directly by[br]business requirements.

0:00:13.580,0:00:20.818
It will enable productivity by allowing[br]secure access to information resources.

0:00:20.818,0:00:25.555
One of,[br]One of the things that we, as computer

0:00:25.555,0:00:32.880
security professionals typically do wrong.[br]A, we used the wrong language in

0:00:32.880,0:00:39.859
describing what we're trying to do.[br]B, maybe we're using the right language in

0:00:39.859,0:00:44.754
the wrong way.[br]So, if I walk into a, a group of my peers

0:00:44.754,0:00:51.019
or executives and I start talking about[br]this new initiative where we're going to

0:00:51.019,0:00:55.035
protect these laptops that are[br]unfortunately, flying off the shelves or

0:00:55.035,0:00:59.554
out of our cars.[br]And I start by saying well, what we need

0:00:59.554,0:01:05.780
to do is prevent X, keep Y from happening[br]and make sure that we absolutely stop Z.

0:01:07.680,0:01:14.295
What the executive is hearing is, he is[br]preventing stopping in all kinds of ways

0:01:14.295,0:01:18.205
making stuff not happen.[br]That's not their world.

0:01:18.205,0:01:22.630
Their world is about making things happen.[br]Their world is about making the needs of

0:01:22.630,0:01:26.147
the business come first.[br]And those business requirements happen in

0:01:26.147,0:01:29.719
the smooth as possible way.[br]So, when you chart, when you start out in

0:01:29.719,0:01:32.650
negative terms.[br]When you start out defining things that

0:01:32.650,0:01:34.836
won't happen.[br]And things that must not be.

0:01:34.836,0:01:39.046
They're not hearing any of what you say.[br]They're just hearing that you're a big

0:01:39.046,0:01:42.620
preventer.[br]Alright if when that's the case you're,

0:01:42.620,0:01:45.263
you're not going to be able to make your[br]case.

0:01:45.263,0:01:46.929
So, you know a good policy is, is an[br]enabler.

0:01:46.929,0:01:51.583
Good policy says hey look a this we found[br]a secure way to actually allow all you

0:01:51.583,0:01:55.604
people out there to run around with your[br]laptops like you always have.

0:01:55.604,0:01:59.913
If we weren't able, what you are not[br]seeing in this policy is if we weren't

0:01:59.913,0:02:05.280
able to find that secure way,[br]We'd be asking you for your laptops back

0:02:05.580,0:02:11.800
because we can't have this keep happening,[br]You know, let the firings begin.

0:02:12.560,0:02:19.265
So.[br]I think good policy is clear, and, and,

0:02:19.265,0:02:22.548
and usually short.[br]My customers.

0:02:22.548,0:02:25.328
I, I develop a lot of policy for my[br]customers.

0:02:25.328,0:02:29.035
They're always surprised by how brief I[br]typically make them.

0:02:29.035,0:02:33.916
I'm, I'm always striving to make short[br]statements that completely make sense to

0:02:33.916,0:02:36.696
everybody that reads them, in terms of[br]policy.

0:02:36.696,0:02:41.391
When we start talking about the technical[br]stuff, when we get into procedures,

0:02:41.391,0:02:45.901
guidelines, and all that kind of stuff,[br]then we can get into all the geeky

0:02:45.901,0:02:49.484
technical stuff that must happen to make[br]this policy work.

0:02:49.484,0:02:54.700
But when it's about the policy,[br]I've personally have never written a

0:02:54.700,0:02:59.820
policy that was more than two pages long,[br]about a specific thing.

0:03:00.160,0:03:05.404
If you can't describe the thing you want[br]to happen in two pages, you've, taken on

0:03:05.404,0:03:09.862
the wrong thing, essentially.[br]You, you, you're going about it the wrong

0:03:09.862,0:03:12.681
way.[br]You need to break it down a little bit

0:03:12.681,0:03:17.860
further such that you can make simple[br]policy statements that people understand.

0:03:18.180,0:03:24.920
A corollary to that is it should be[br]measurable.

0:03:25.700,0:03:30.873
When I'm, when I'm talking about[br]measurability here, I'm talking about the

0:03:30.873,0:03:36.680
ability to measure compliance.[br]Then we'll, we'll get into a lot of, more

0:03:36.680,0:03:41.517
about that when I start talking about[br]maturity models and, and how maturity

0:03:41.517,0:03:47.278
models relate to policy but the simplest[br]way to think of this is that if you have a

0:03:47.278,0:03:51.481
policy, and you think that policy is in[br]place, and the people understand it, and

0:03:51.481,0:03:54.500
that it's actually doing what it's[br]supposed to be doing.

0:03:54.860,0:04:01.109
You don't actually know that unless you[br]can actually measure compliance.

0:04:01.109,0:04:09.244
Unless you can look at It's amazingly[br]annoying.

0:04:09.437,0:04:14.263
Unless you can actually look at this[br]policy and how people are behaving in

0:04:14.263,0:04:19.153
relationship to the policy and say, well[br]this is how well the policy's doing.

0:04:19.153,0:04:23.785
Or hey, the policy's not, you know?[br]People either don't understand it, they

0:04:23.785,0:04:27.389
don't know it.[br]Or they do understand it and they know it

0:04:27.389,0:04:31.700
and they're not complying.[br]What's the number one reason that people

0:04:31.700,0:04:35.691
don't comply to policy?[br]Complexities is one.

0:04:35.691,0:04:39.259
It's not the top of my list but it's, it's[br]near the top.

0:04:39.454,0:04:43.864
We weren't told it in the first place.[br]Well now I've sure told it.

0:04:43.864,0:04:45.616
In the back.[br][inaudible].

0:04:45.810,0:04:49.443
Inconvenience.[br]That is the number one reason that people

0:04:49.443,0:04:53.701
do not adhere to policy.[br]And, that inconvenience typically I,

0:04:54.065,0:04:57.460
interestingly enough, most of us wanna try[br]to do our job.

0:04:58.460,0:05:04.010
The inconvenience is typically related to,[br]this policy makes it hard, impossible,

0:05:04.010,0:05:07.523
difficult to do the thing that you hired[br]me to do.

0:05:07.523,0:05:14.660
So I am going to ignore it.[br]So, you have to avoid all of that kind of

0:05:14.660,0:05:21.842
mess.[br]Good policy has to be enforceable.

0:05:24.600,0:05:30.266
What we mean by enforcement is going to[br]vary actually from company to company,

0:05:30.266,0:05:35.424
organization to organization.[br]But you have to actually have some way of

0:05:35.424,0:05:41.235
saying you must accomplish this thing that[br]we have asked you to do, or, there are

0:05:41.235,0:05:48.435
consequences alright?[br]The variability for that is, is industry

0:05:48.435,0:05:51.831
variability. It's regulatory compliance[br]variability.

0:05:51.831,0:05:56.360
There's lots and lots of reasons that[br]that's not the same for everybody.

0:05:58.520,0:06:03.585
Number five on my list,[br]And I invented a word for this.

0:06:03.585,0:06:09.980
It's regulatorily correct." The[br]spellchecker didnt like that.

0:06:10.240,0:06:16.871
Obviously what I mean though is that[br]policy itself must reflect any regulations

0:06:16.871,0:06:20.920
that actually drive what your business[br]must do.

0:06:21.540,0:06:26.711
Raise your hand if you're in an industry[br]that has no federal regulations regarding

0:06:26.711,0:06:30.980
your security policy.[br]Wow.

0:06:31.780,0:06:36.177
I asked that exact same question about[br]three years ago.

0:06:36.177,0:06:40.045
And three-quarters of the class raised[br]their hands.

0:06:40.045,0:06:45.428
Until one by one I explained what,[br]regulation, what federal agency cared

0:06:45.428,0:06:49.295
about them.[br]It's almost never been true, but it's

0:06:49.295,0:06:57.320
certainly not true now.[br]Hyppa. Gramm-Leach-Bliley.

0:07:00.183,0:07:02.745
What's another, who haven't I got?[br]Socks.

0:07:02.928,0:07:05.980
Socks, of course, that's all of you that[br]are public.

0:07:06.640,0:07:17.300
Any other fun ones that I'm missing?[br]Icar, ITAR, ITAR? .

0:07:18.017,0:07:22.886
All of you Boeing people are e, expoing[br]people.

0:07:23.733,0:07:29.343
[inaudible] [laugh].[br]You took your laptop and left.

0:07:30.189,0:07:35.069
[inaudible].[br][laugh] So, okay, and again, the category

0:07:35.069,0:07:41.090
of, of, of the list we are going through[br]right now is elements of good policy,

0:07:41.090,0:07:43.546
those were mine.[br]What are yours?

0:07:43.546,0:07:52.544
What else should good policy have?[br]I listed everything.

0:07:52.544,0:07:54.486
Yes.[br]We did a review.

0:07:54.740,0:07:59.215
Absolutely.[br]Good policy, and actually good maturity in

0:07:59.215,0:08:02.593
your policy, requires regular review.[br]Yes.

0:08:02.846,0:08:08.757
I was going to say accessibility.[br]In other words, it's got to be, people

0:08:08.757,0:08:14.500
have to be able to find it and read it.[br]Accessibility is critical.

0:08:15.907,0:08:21.322
The, the idea that you're going to[br]generate a bunch of policy and you know,

0:08:21.322,0:08:27.348
print it and then put it on a shelf for[br]somebody to come and you know, at their

0:08:27.348,0:08:31.161
leisure come and read is never going to[br]happen.

0:08:31.161,0:08:37.021
Beyond accessibility I would actually try[br]to take up the next step and I'm not sure

0:08:37.021,0:08:40.883
what they call this but essentially,[br]mandatory accessibility.

0:08:40.883,0:08:44.810
You have to make sure that people are[br]exposed to your policy.

0:08:44.810,0:08:50.088
You can't just make it available and say,[br]look, you know what, we wrote 800 pages of

0:08:50.088,0:08:53.757
policy and it's on this internal link to[br]this web server.

0:08:53.757,0:08:58.805
Please, everybody go read it.[br]How many would?

0:08:58.805,0:09:03.757
Everybody in this class would, of course,[br]because you're directly involved and care

0:09:03.757,0:09:08.084
a lot about these sorts of things but none[br]of your peers would.

0:09:08.084,0:09:11.850
You absolutely must make sure that they[br]read it.

0:09:11.850,0:09:18.125
Given that scenario, given the scenario of[br]an internet server and you've made it

0:09:18.125,0:09:21.757
available.[br]Any ideas on how, how you would enforce

0:09:21.757,0:09:24.197
that, or how you would assure?[br]Yes.

0:09:24.401,0:09:27.451
The agreements are on hiring and[br]orientation.

0:09:27.655,0:09:33.349
Orientation, new employee orientation is a[br]good place to have people at least sign a

0:09:33.349,0:09:38.434
piece of paper saying that they read the[br]last 400 pages and they agreed to

0:09:38.434,0:09:40.199
everything in it.[br]Yes.

0:09:40.374,0:09:45.228
In my company they put it on video and[br]they track everyone who's viewed it.

0:09:45.228,0:09:49.439
Once you've watched them all you get a[br]little certificate of completion.

0:09:49.439,0:09:54.352
It's not real but it's like tracked and if[br]you don't do it they harass you and your

0:09:54.352,0:09:58.504
manager until you do it.[br]And, so, they have 90, over 99 compliance

0:09:58.504,0:10:01.077
in people viewing the latest training on[br]it.

0:10:01.253,0:10:03.884
So.[br]A technology company, they actually are

0:10:03.884,0:10:08.563
tracking probably electronically whether[br]or not you've clicked on the view this

0:10:08.563,0:10:11.370
video link.[br]They didn't track whether or not you

0:10:11.370,0:10:14.720
walked away from your desk while you're.[br]It's like.

0:10:14.720,0:10:20.797
How many of, how many viewings actually[br]started at eleven:5959.

0:10:20.802,0:10:24.084
Nobody tracked that part?[br]Yes, in the back, and then you.

0:10:24.266,0:10:27.001
[inaudible].[br]We had a, for a sexual harassment

0:10:27.001,0:10:31.317
training, we had to take some tests.[br]We had to watch some videos on some

0:10:31.317,0:10:35.207
website, and then take a test afterwards[br]regarding each of these.

0:10:35.207,0:10:39.704
And it went into quite a bit of time.[br]It was spread out over, like, a couple

0:10:39.704,0:10:42.257
weeks or something.[br]Tests are fantastic.

0:10:42.257,0:10:47.059
A fantastic way to assure that somebody's[br]actually, not only read something, but

0:10:47.059,0:10:50.639
understood it.[br]Let me get back to that in a moment.

0:10:50.639,0:10:52.318
Go ahead.[br][inaudible].

0:10:52.318,0:10:57.286
Our interactive training system.[br]And it does have tests embedded in the

0:10:57.286,0:11:00.715
viewing.[br]So, unless you take somebody else's, which

0:11:00.715,0:11:02.605
nobody's going to do,[br]Right?

0:11:02.815,0:11:06.313
And I know we have a lawyer in the room,[br]who is it?

0:11:06.523,0:11:08.623
[inaudible].[br]Ted's not here?

0:11:08.623,0:11:13.101
No lawyer in the room.[br]There's a very interesting thing going on

0:11:13.101,0:11:17.790
right now in the sort of, click-through[br]agreements, which is that.

0:11:17.790,0:11:23.199
The courts are, and I wish it was here[br]actually to correct me because I am sure I

0:11:23.199,0:11:27.139
am wrong on this.[br]But the courts are getting a little wishy

0:11:27.139,0:11:30.612
washy on whether or not any of that is of[br]any value.

0:11:30.612,0:11:33.260
So, yes.[br][inaudible] because, just because

0:11:33.260,0:11:38.105
somebody's indicated that they have put[br]through a page or they've accepted that

0:11:38.105,0:11:41.375
page does not ensure that, that content[br]hasn't changed.

0:11:41.375,0:11:45.554
So what have they accepted?[br]And that's not necessarily a static thing.

0:11:45.736,0:11:48.038
Agreed.[br]Although even the static stuff.

0:11:48.038,0:11:53.125
People are wondering whether or not it's[br]reasonable to assume that you did actually

0:11:53.125,0:11:57.546
read all twenty pages of legal mumbo jumbo[br]before you clicked on the yes.

0:11:57.546,0:12:01.120
I'm going to okay this because that means[br]I can now use XP.

0:12:01.953,0:12:03.762
Yes.[br]I've researched this.

0:12:03.955,0:12:08.282
It's less than zero, probably.[br]001.. People might, some people will

0:12:08.282,0:12:13.385
possibly start to read it, and then they[br]will scroll and see how long it is and

0:12:13.385,0:12:16.097
give up.[br]But no one, I've never seen anyone

0:12:16.097,0:12:21.264
actually put in the effort to read it.[br]And that's with someone watching them and

0:12:21.264,0:12:23.912
them wanting to please me.[br][inaudible].

0:12:24.106,0:12:25.591
Huh?[br]Who [inaudible].

0:12:25.785,0:12:28.885
Yeah, lawyers.[br]Actually they read chunks of it.

0:12:28.885,0:12:34.116
Maybe it's five or six of them and they[br]all put it together, so none of them read

0:12:34.116,0:12:37.659
the whole thing.[br]That, and, there's, there's a few perverse

0:12:37.659,0:12:42.300
people out there in the world, who[br]actually, I, I think they're kind of, good

0:12:42.300,0:12:47.860
examples of creative writing.[br]And I read them because I, I'm amused by

0:12:47.860,0:12:53.712
some of the stuff they put in there about[br]the fact that you know they're not

0:12:53.712,0:12:59.032
responsible with it, you know, if.[br]Good example, Windows Vista, if Windows

0:12:59.032,0:13:03.060
Vista explodes, and the parts fly[br]throughout the room.

0:13:04.140,0:13:10.638
Completely obliterate all life.[br]Windows is and Microsoft is not

0:13:10.638,0:13:12.676
responsible.[br]Absolutely guaranteed.

0:13:12.676,0:13:16.393
It's, it's definitely on like page 30.[br]The whole explosion part.

0:13:16.573,0:13:20.770
Isn't there something in here about the[br]wind blows and the tree falls.

0:13:20.770,0:13:23.768
That Microsoft isn't.[br]Certainly not responsible.

0:13:23.948,0:13:28.684
So, not very many people are like me.[br]Not very many people actually think that's

0:13:28.684,0:13:32.101
a muse in reading.[br]They actually just page down as far as

0:13:32.101,0:13:34.680
they can and click on the, it's okay[br]button.

0:13:34.863,0:13:39.830
Most amusing thing I think I ever saw in[br]one of those was actually that somebody

0:13:39.830,0:13:44.858
programmatically looked at how long it[br]took between displaying the first page and

0:13:44.858,0:13:48.170
you clicking on the Okay.[br]And if it wasn't long enough.

0:13:48.170,0:13:50.701
They just said, "Look, you didn't read[br]that.

0:13:50.701,0:13:57.628
Go back and try again." [laugh] I, I[br]thought that was hilarious.

0:13:57.628,0:14:01.685
But.[br]And that's why testing, actually, starts

0:14:01.685,0:14:07.880
as starts to around a little bit of this.[br]I can't imagine what would happen if some

0:14:07.880,0:14:14.076
of the longer click through agreements[br]started asking okay, so, under limited

0:14:14.076,0:14:19.621
liability.[br]Were we a liable for any pet deaths in

0:14:19.621,0:14:23.493
your family?[br][laugh] So these sorts of things are

0:14:23.493,0:14:27.919
actually starting to, to change the way we[br]look at stuff.

0:14:28.156,0:14:34.241
I really, really like by the way new[br]employee orientation and new employee

0:14:34.241,0:14:39.316
agreements with tests.[br]I'm starting to see places that actually

0:14:39.316,0:14:42.293
implement.[br]You must read all of this stuff, all of

0:14:42.293,0:14:46.851
these policies, procedures and how do we[br]do business and so on and so forth.

0:14:46.851,0:14:51.590
And, sometime within the next couple of[br]days your going to have to take a test on

0:14:51.590,0:14:57.740
it, and pass or you're not an employee.[br]So,

0:14:58.702,0:15:03.883
Anything, any other by the way, all great[br]elements of good policy.

0:15:03.883,0:15:05.421
Yes?[br][inaudible].

0:15:05.664,0:15:09.874
Absolutely.[br]You have to have something to back it up.

0:15:09.874,0:15:15.702
If, I merely suggest to all of you that[br]you don't take employee data, and

0:15:15.702,0:15:19.507
willy-nilly, start flapping around the[br]internet.

0:15:19.507,0:15:23.960
And I'm not prepared to do anything about[br]it if you do.

0:15:25.740,0:15:29.762
The policy has no effect.[br]It has, it has really no, no teeth.

0:15:29.762,0:15:33.055
Yes.[br]I think policy should be enforced at all

0:15:33.055,0:15:37.647
levels of the organization.[br]So senior management is responsible for

0:15:37.647,0:15:41.005
living up to that policy as well as junior[br]staff.

0:15:41.005,0:15:46.145
We've had situations where political[br]content, for instance, was sent through

0:15:46.145,0:15:51.353
the email to employees regarding certain[br]initiatives from senior management.

0:15:51.353,0:15:55.876
And it was pointed out to them, you[br]realize you just made a policy

0:15:55.876,0:15:57.384
unenforceable.[br]Yeah.

0:15:57.384,0:15:59.920
[inaudible].[br]And then, that's actually.

0:16:00.829,0:16:02.615
And, and who do, I won't even ask who you[br]work for.

0:16:02.725,0:16:04.730
A healthcare organization.[br]A healthcare organization.

0:16:04.839,0:16:09.520
[inaudible] That's what the issue is.[br]Interesting.

0:16:10.060,0:16:15.622
That, I see that a lot more in smaller[br]organizations, you know, organizations of,

0:16:15.622,0:16:21.398
of few 1000 people and less where the[br]management of the organization is not used

0:16:21.398,0:16:26.462
to having to kind of put up with this[br]uniformity of policy enforcement.

0:16:26.462,0:16:29.600
Larger organizations usually kind of get[br]it.

0:16:30.086,0:16:31.705
Not always.[br]I mean there's.

0:16:31.892,0:16:33.812
[inaudible].[br]Yeah, yeah.

0:16:33.812,0:16:37.921
It's so, it is absolutely.[br]It is very, very important that people

0:16:37.921,0:16:41.770
realize that policy is enforced from the[br]top to the bottom.

0:16:41.770,0:16:46.923
In fact, it's you know, emanates from[br]business requirements set by the people at

0:16:46.923,0:16:49.989
the very top.[br]So, if those business requirements

0:16:49.989,0:16:52.924
dictated this policy.[br]And they violate policy.

0:16:52.924,0:16:57.882
Either the business requirements weren't[br]accurate in the, in the first place.

0:16:57.882,0:17:02.513
Or they're actually count, acting[br]countered to the best interest of the

0:17:02.513,0:17:04.340
company, or the organization.