1 00:00:00,000 --> 00:00:04,900 So, let's talk a little bit about elements of good policy. 2 00:00:07,300 --> 00:00:12,200 Number one on my list driven directly by business requirements. 3 00:00:13,580 --> 00:00:20,818 It will enable productivity by allowing secure access to information resources. 4 00:00:20,818 --> 00:00:25,555 One of, One of the things that we, as computer 5 00:00:25,555 --> 00:00:32,880 security professionals typically do wrong. A, we used the wrong language in 6 00:00:32,880 --> 00:00:39,859 describing what we're trying to do. B, maybe we're using the right language in 7 00:00:39,859 --> 00:00:44,754 the wrong way. So, if I walk into a, a group of my peers 8 00:00:44,754 --> 00:00:51,019 or executives and I start talking about this new initiative where we're going to 9 00:00:51,019 --> 00:00:55,035 protect these laptops that are unfortunately, flying off the shelves or 10 00:00:55,035 --> 00:00:59,554 out of our cars. And I start by saying well, what we need 11 00:00:59,554 --> 00:01:05,780 to do is prevent X, keep Y from happening and make sure that we absolutely stop Z. 12 00:01:07,680 --> 00:01:14,295 What the executive is hearing is, he is preventing stopping in all kinds of ways 13 00:01:14,295 --> 00:01:18,205 making stuff not happen. That's not their world. 14 00:01:18,205 --> 00:01:22,630 Their world is about making things happen. Their world is about making the needs of 15 00:01:22,630 --> 00:01:26,147 the business come first. And those business requirements happen in 16 00:01:26,147 --> 00:01:29,719 the smooth as possible way. So, when you chart, when you start out in 17 00:01:29,719 --> 00:01:32,650 negative terms. When you start out defining things that 18 00:01:32,650 --> 00:01:34,836 won't happen. And things that must not be. 19 00:01:34,836 --> 00:01:39,046 They're not hearing any of what you say. They're just hearing that you're a big 20 00:01:39,046 --> 00:01:42,620 preventer. Alright if when that's the case you're, 21 00:01:42,620 --> 00:01:45,263 you're not going to be able to make your case. 22 00:01:45,263 --> 00:01:46,929 So, you know a good policy is, is an enabler. 23 00:01:46,929 --> 00:01:51,583 Good policy says hey look a this we found a secure way to actually allow all you 24 00:01:51,583 --> 00:01:55,604 people out there to run around with your laptops like you always have. 25 00:01:55,604 --> 00:01:59,913 If we weren't able, what you are not seeing in this policy is if we weren't 26 00:01:59,913 --> 00:02:05,280 able to find that secure way, We'd be asking you for your laptops back 27 00:02:05,580 --> 00:02:11,800 because we can't have this keep happening, You know, let the firings begin. 28 00:02:12,560 --> 00:02:19,265 So. I think good policy is clear, and, and, 29 00:02:19,265 --> 00:02:22,548 and usually short. My customers. 30 00:02:22,548 --> 00:02:25,328 I, I develop a lot of policy for my customers. 31 00:02:25,328 --> 00:02:29,035 They're always surprised by how brief I typically make them. 32 00:02:29,035 --> 00:02:33,916 I'm, I'm always striving to make short statements that completely make sense to 33 00:02:33,916 --> 00:02:36,696 everybody that reads them, in terms of policy. 34 00:02:36,696 --> 00:02:41,391 When we start talking about the technical stuff, when we get into procedures, 35 00:02:41,391 --> 00:02:45,901 guidelines, and all that kind of stuff, then we can get into all the geeky 36 00:02:45,901 --> 00:02:49,484 technical stuff that must happen to make this policy work. 37 00:02:49,484 --> 00:02:54,700 But when it's about the policy, I've personally have never written a 38 00:02:54,700 --> 00:02:59,820 policy that was more than two pages long, about a specific thing. 39 00:03:00,160 --> 00:03:05,404 If you can't describe the thing you want to happen in two pages, you've, taken on 40 00:03:05,404 --> 00:03:09,862 the wrong thing, essentially. You, you, you're going about it the wrong 41 00:03:09,862 --> 00:03:12,681 way. You need to break it down a little bit 42 00:03:12,681 --> 00:03:17,860 further such that you can make simple policy statements that people understand. 43 00:03:18,180 --> 00:03:24,920 A corollary to that is it should be measurable. 44 00:03:25,700 --> 00:03:30,873 When I'm, when I'm talking about measurability here, I'm talking about the 45 00:03:30,873 --> 00:03:36,680 ability to measure compliance. Then we'll, we'll get into a lot of, more 46 00:03:36,680 --> 00:03:41,517 about that when I start talking about maturity models and, and how maturity 47 00:03:41,517 --> 00:03:47,278 models relate to policy but the simplest way to think of this is that if you have a 48 00:03:47,278 --> 00:03:51,481 policy, and you think that policy is in place, and the people understand it, and 49 00:03:51,481 --> 00:03:54,500 that it's actually doing what it's supposed to be doing. 50 00:03:54,860 --> 00:04:01,109 You don't actually know that unless you can actually measure compliance. 51 00:04:01,109 --> 00:04:09,244 Unless you can look at It's amazingly annoying. 52 00:04:09,437 --> 00:04:14,263 Unless you can actually look at this policy and how people are behaving in 53 00:04:14,263 --> 00:04:19,153 relationship to the policy and say, well this is how well the policy's doing. 54 00:04:19,153 --> 00:04:23,785 Or hey, the policy's not, you know? People either don't understand it, they 55 00:04:23,785 --> 00:04:27,389 don't know it. Or they do understand it and they know it 56 00:04:27,389 --> 00:04:31,700 and they're not complying. What's the number one reason that people 57 00:04:31,700 --> 00:04:35,691 don't comply to policy? Complexities is one. 58 00:04:35,691 --> 00:04:39,259 It's not the top of my list but it's, it's near the top. 59 00:04:39,454 --> 00:04:43,864 We weren't told it in the first place. Well now I've sure told it. 60 00:04:43,864 --> 00:04:45,616 In the back. [inaudible]. 61 00:04:45,810 --> 00:04:49,443 Inconvenience. That is the number one reason that people 62 00:04:49,443 --> 00:04:53,701 do not adhere to policy. And, that inconvenience typically I, 63 00:04:54,065 --> 00:04:57,460 interestingly enough, most of us wanna try to do our job. 64 00:04:58,460 --> 00:05:04,010 The inconvenience is typically related to, this policy makes it hard, impossible, 65 00:05:04,010 --> 00:05:07,523 difficult to do the thing that you hired me to do. 66 00:05:07,523 --> 00:05:14,660 So I am going to ignore it. So, you have to avoid all of that kind of 67 00:05:14,660 --> 00:05:21,842 mess. Good policy has to be enforceable. 68 00:05:24,600 --> 00:05:30,266 What we mean by enforcement is going to vary actually from company to company, 69 00:05:30,266 --> 00:05:35,424 organization to organization. But you have to actually have some way of 70 00:05:35,424 --> 00:05:41,235 saying you must accomplish this thing that we have asked you to do, or, there are 71 00:05:41,235 --> 00:05:48,435 consequences alright? The variability for that is, is industry 72 00:05:48,435 --> 00:05:51,831 variability. It's regulatory compliance variability. 73 00:05:51,831 --> 00:05:56,360 There's lots and lots of reasons that that's not the same for everybody. 74 00:05:58,520 --> 00:06:03,585 Number five on my list, And I invented a word for this. 75 00:06:03,585 --> 00:06:09,980 It's regulatorily correct." The spellchecker didnt like that. 76 00:06:10,240 --> 00:06:16,871 Obviously what I mean though is that policy itself must reflect any regulations 77 00:06:16,871 --> 00:06:20,920 that actually drive what your business must do. 78 00:06:21,540 --> 00:06:26,711 Raise your hand if you're in an industry that has no federal regulations regarding 79 00:06:26,711 --> 00:06:30,980 your security policy. Wow. 80 00:06:31,780 --> 00:06:36,177 I asked that exact same question about three years ago. 81 00:06:36,177 --> 00:06:40,045 And three-quarters of the class raised their hands. 82 00:06:40,045 --> 00:06:45,428 Until one by one I explained what, regulation, what federal agency cared 83 00:06:45,428 --> 00:06:49,295 about them. It's almost never been true, but it's 84 00:06:49,295 --> 00:06:57,320 certainly not true now. Hyppa. Gramm-Leach-Bliley. 85 00:07:00,183 --> 00:07:02,745 What's another, who haven't I got? Socks. 86 00:07:02,928 --> 00:07:05,980 Socks, of course, that's all of you that are public. 87 00:07:06,640 --> 00:07:17,300 Any other fun ones that I'm missing? Icar, ITAR, ITAR? . 88 00:07:18,017 --> 00:07:22,886 All of you Boeing people are e, expoing people. 89 00:07:23,733 --> 00:07:29,343 [inaudible] [laugh]. You took your laptop and left. 90 00:07:30,189 --> 00:07:35,069 [inaudible]. [laugh] So, okay, and again, the category 91 00:07:35,069 --> 00:07:41,090 of, of, of the list we are going through right now is elements of good policy, 92 00:07:41,090 --> 00:07:43,546 those were mine. What are yours? 93 00:07:43,546 --> 00:07:52,544 What else should good policy have? I listed everything. 94 00:07:52,544 --> 00:07:54,486 Yes. We did a review. 95 00:07:54,740 --> 00:07:59,215 Absolutely. Good policy, and actually good maturity in 96 00:07:59,215 --> 00:08:02,593 your policy, requires regular review. Yes. 97 00:08:02,846 --> 00:08:08,757 I was going to say accessibility. In other words, it's got to be, people 98 00:08:08,757 --> 00:08:14,500 have to be able to find it and read it. Accessibility is critical. 99 00:08:15,907 --> 00:08:21,322 The, the idea that you're going to generate a bunch of policy and you know, 100 00:08:21,322 --> 00:08:27,348 print it and then put it on a shelf for somebody to come and you know, at their 101 00:08:27,348 --> 00:08:31,161 leisure come and read is never going to happen. 102 00:08:31,161 --> 00:08:37,021 Beyond accessibility I would actually try to take up the next step and I'm not sure 103 00:08:37,021 --> 00:08:40,883 what they call this but essentially, mandatory accessibility. 104 00:08:40,883 --> 00:08:44,810 You have to make sure that people are exposed to your policy. 105 00:08:44,810 --> 00:08:50,088 You can't just make it available and say, look, you know what, we wrote 800 pages of 106 00:08:50,088 --> 00:08:53,757 policy and it's on this internal link to this web server. 107 00:08:53,757 --> 00:08:58,805 Please, everybody go read it. How many would? 108 00:08:58,805 --> 00:09:03,757 Everybody in this class would, of course, because you're directly involved and care 109 00:09:03,757 --> 00:09:08,084 a lot about these sorts of things but none of your peers would. 110 00:09:08,084 --> 00:09:11,850 You absolutely must make sure that they read it. 111 00:09:11,850 --> 00:09:18,125 Given that scenario, given the scenario of an internet server and you've made it 112 00:09:18,125 --> 00:09:21,757 available. Any ideas on how, how you would enforce 113 00:09:21,757 --> 00:09:24,197 that, or how you would assure? Yes. 114 00:09:24,401 --> 00:09:27,451 The agreements are on hiring and orientation. 115 00:09:27,655 --> 00:09:33,349 Orientation, new employee orientation is a good place to have people at least sign a 116 00:09:33,349 --> 00:09:38,434 piece of paper saying that they read the last 400 pages and they agreed to 117 00:09:38,434 --> 00:09:40,199 everything in it. Yes. 118 00:09:40,374 --> 00:09:45,228 In my company they put it on video and they track everyone who's viewed it. 119 00:09:45,228 --> 00:09:49,439 Once you've watched them all you get a little certificate of completion. 120 00:09:49,439 --> 00:09:54,352 It's not real but it's like tracked and if you don't do it they harass you and your 121 00:09:54,352 --> 00:09:58,504 manager until you do it. And, so, they have 90, over 99 compliance 122 00:09:58,504 --> 00:10:01,077 in people viewing the latest training on it. 123 00:10:01,253 --> 00:10:03,884 So. A technology company, they actually are 124 00:10:03,884 --> 00:10:08,563 tracking probably electronically whether or not you've clicked on the view this 125 00:10:08,563 --> 00:10:11,370 video link. They didn't track whether or not you 126 00:10:11,370 --> 00:10:14,720 walked away from your desk while you're. It's like. 127 00:10:14,720 --> 00:10:20,797 How many of, how many viewings actually started at eleven:5959. 128 00:10:20,802 --> 00:10:24,084 Nobody tracked that part? Yes, in the back, and then you. 129 00:10:24,266 --> 00:10:27,001 [inaudible]. We had a, for a sexual harassment 130 00:10:27,001 --> 00:10:31,317 training, we had to take some tests. We had to watch some videos on some 131 00:10:31,317 --> 00:10:35,207 website, and then take a test afterwards regarding each of these. 132 00:10:35,207 --> 00:10:39,704 And it went into quite a bit of time. It was spread out over, like, a couple 133 00:10:39,704 --> 00:10:42,257 weeks or something. Tests are fantastic. 134 00:10:42,257 --> 00:10:47,059 A fantastic way to assure that somebody's actually, not only read something, but 135 00:10:47,059 --> 00:10:50,639 understood it. Let me get back to that in a moment. 136 00:10:50,639 --> 00:10:52,318 Go ahead. [inaudible]. 137 00:10:52,318 --> 00:10:57,286 Our interactive training system. And it does have tests embedded in the 138 00:10:57,286 --> 00:11:00,715 viewing. So, unless you take somebody else's, which 139 00:11:00,715 --> 00:11:02,605 nobody's going to do, Right? 140 00:11:02,815 --> 00:11:06,313 And I know we have a lawyer in the room, who is it? 141 00:11:06,523 --> 00:11:08,623 [inaudible]. Ted's not here? 142 00:11:08,623 --> 00:11:13,101 No lawyer in the room. There's a very interesting thing going on 143 00:11:13,101 --> 00:11:17,790 right now in the sort of, click-through agreements, which is that. 144 00:11:17,790 --> 00:11:23,199 The courts are, and I wish it was here actually to correct me because I am sure I 145 00:11:23,199 --> 00:11:27,139 am wrong on this. But the courts are getting a little wishy 146 00:11:27,139 --> 00:11:30,612 washy on whether or not any of that is of any value. 147 00:11:30,612 --> 00:11:33,260 So, yes. [inaudible] because, just because 148 00:11:33,260 --> 00:11:38,105 somebody's indicated that they have put through a page or they've accepted that 149 00:11:38,105 --> 00:11:41,375 page does not ensure that, that content hasn't changed. 150 00:11:41,375 --> 00:11:45,554 So what have they accepted? And that's not necessarily a static thing. 151 00:11:45,736 --> 00:11:48,038 Agreed. Although even the static stuff. 152 00:11:48,038 --> 00:11:53,125 People are wondering whether or not it's reasonable to assume that you did actually 153 00:11:53,125 --> 00:11:57,546 read all twenty pages of legal mumbo jumbo before you clicked on the yes. 154 00:11:57,546 --> 00:12:01,120 I'm going to okay this because that means I can now use XP. 155 00:12:01,953 --> 00:12:03,762 Yes. I've researched this. 156 00:12:03,955 --> 00:12:08,282 It's less than zero, probably. 001.. People might, some people will 157 00:12:08,282 --> 00:12:13,385 possibly start to read it, and then they will scroll and see how long it is and 158 00:12:13,385 --> 00:12:16,097 give up. But no one, I've never seen anyone 159 00:12:16,097 --> 00:12:21,264 actually put in the effort to read it. And that's with someone watching them and 160 00:12:21,264 --> 00:12:23,912 them wanting to please me. [inaudible]. 161 00:12:24,106 --> 00:12:25,591 Huh? Who [inaudible]. 162 00:12:25,785 --> 00:12:28,885 Yeah, lawyers. Actually they read chunks of it. 163 00:12:28,885 --> 00:12:34,116 Maybe it's five or six of them and they all put it together, so none of them read 164 00:12:34,116 --> 00:12:37,659 the whole thing. That, and, there's, there's a few perverse 165 00:12:37,659 --> 00:12:42,300 people out there in the world, who actually, I, I think they're kind of, good 166 00:12:42,300 --> 00:12:47,860 examples of creative writing. And I read them because I, I'm amused by 167 00:12:47,860 --> 00:12:53,712 some of the stuff they put in there about the fact that you know they're not 168 00:12:53,712 --> 00:12:59,032 responsible with it, you know, if. Good example, Windows Vista, if Windows 169 00:12:59,032 --> 00:13:03,060 Vista explodes, and the parts fly throughout the room. 170 00:13:04,140 --> 00:13:10,638 Completely obliterate all life. Windows is and Microsoft is not 171 00:13:10,638 --> 00:13:12,676 responsible. Absolutely guaranteed. 172 00:13:12,676 --> 00:13:16,393 It's, it's definitely on like page 30. The whole explosion part. 173 00:13:16,573 --> 00:13:20,770 Isn't there something in here about the wind blows and the tree falls. 174 00:13:20,770 --> 00:13:23,768 That Microsoft isn't. Certainly not responsible. 175 00:13:23,948 --> 00:13:28,684 So, not very many people are like me. Not very many people actually think that's 176 00:13:28,684 --> 00:13:32,101 a muse in reading. They actually just page down as far as 177 00:13:32,101 --> 00:13:34,680 they can and click on the, it's okay button. 178 00:13:34,863 --> 00:13:39,830 Most amusing thing I think I ever saw in one of those was actually that somebody 179 00:13:39,830 --> 00:13:44,858 programmatically looked at how long it took between displaying the first page and 180 00:13:44,858 --> 00:13:48,170 you clicking on the Okay. And if it wasn't long enough. 181 00:13:48,170 --> 00:13:50,701 They just said, "Look, you didn't read that. 182 00:13:50,701 --> 00:13:57,628 Go back and try again." [laugh] I, I thought that was hilarious. 183 00:13:57,628 --> 00:14:01,685 But. And that's why testing, actually, starts 184 00:14:01,685 --> 00:14:07,880 as starts to around a little bit of this. I can't imagine what would happen if some 185 00:14:07,880 --> 00:14:14,076 of the longer click through agreements started asking okay, so, under limited 186 00:14:14,076 --> 00:14:19,621 liability. Were we a liable for any pet deaths in 187 00:14:19,621 --> 00:14:23,493 your family? [laugh] So these sorts of things are 188 00:14:23,493 --> 00:14:27,919 actually starting to, to change the way we look at stuff. 189 00:14:28,156 --> 00:14:34,241 I really, really like by the way new employee orientation and new employee 190 00:14:34,241 --> 00:14:39,316 agreements with tests. I'm starting to see places that actually 191 00:14:39,316 --> 00:14:42,293 implement. You must read all of this stuff, all of 192 00:14:42,293 --> 00:14:46,851 these policies, procedures and how do we do business and so on and so forth. 193 00:14:46,851 --> 00:14:51,590 And, sometime within the next couple of days your going to have to take a test on 194 00:14:51,590 --> 00:14:57,740 it, and pass or you're not an employee. So, 195 00:14:58,702 --> 00:15:03,883 Anything, any other by the way, all great elements of good policy. 196 00:15:03,883 --> 00:15:05,421 Yes? [inaudible]. 197 00:15:05,664 --> 00:15:09,874 Absolutely. You have to have something to back it up. 198 00:15:09,874 --> 00:15:15,702 If, I merely suggest to all of you that you don't take employee data, and 199 00:15:15,702 --> 00:15:19,507 willy-nilly, start flapping around the internet. 200 00:15:19,507 --> 00:15:23,960 And I'm not prepared to do anything about it if you do. 201 00:15:25,740 --> 00:15:29,762 The policy has no effect. It has, it has really no, no teeth. 202 00:15:29,762 --> 00:15:33,055 Yes. I think policy should be enforced at all 203 00:15:33,055 --> 00:15:37,647 levels of the organization. So senior management is responsible for 204 00:15:37,647 --> 00:15:41,005 living up to that policy as well as junior staff. 205 00:15:41,005 --> 00:15:46,145 We've had situations where political content, for instance, was sent through 206 00:15:46,145 --> 00:15:51,353 the email to employees regarding certain initiatives from senior management. 207 00:15:51,353 --> 00:15:55,876 And it was pointed out to them, you realize you just made a policy 208 00:15:55,876 --> 00:15:57,384 unenforceable. Yeah. 209 00:15:57,384 --> 00:15:59,920 [inaudible]. And then, that's actually. 210 00:16:00,829 --> 00:16:02,615 And, and who do, I won't even ask who you work for. 211 00:16:02,725 --> 00:16:04,730 A healthcare organization. A healthcare organization. 212 00:16:04,839 --> 00:16:09,520 [inaudible] That's what the issue is. Interesting. 213 00:16:10,060 --> 00:16:15,622 That, I see that a lot more in smaller organizations, you know, organizations of, 214 00:16:15,622 --> 00:16:21,398 of few 1000 people and less where the management of the organization is not used 215 00:16:21,398 --> 00:16:26,462 to having to kind of put up with this uniformity of policy enforcement. 216 00:16:26,462 --> 00:16:29,600 Larger organizations usually kind of get it. 217 00:16:30,086 --> 00:16:31,705 Not always. I mean there's. 218 00:16:31,892 --> 00:16:33,812 [inaudible]. Yeah, yeah. 219 00:16:33,812 --> 00:16:37,921 It's so, it is absolutely. It is very, very important that people 220 00:16:37,921 --> 00:16:41,770 realize that policy is enforced from the top to the bottom. 221 00:16:41,770 --> 00:16:46,923 In fact, it's you know, emanates from business requirements set by the people at 222 00:16:46,923 --> 00:16:49,989 the very top. So, if those business requirements 223 00:16:49,989 --> 00:16:52,924 dictated this policy. And they violate policy. 224 00:16:52,924 --> 00:16:57,882 Either the business requirements weren't accurate in the, in the first place. 225 00:16:57,882 --> 00:17:02,513 Or they're actually count, acting countered to the best interest of the 226 00:17:02,513 --> 00:17:04,340 company, or the organization.