So, let's talk a little bit about elements of good policy. Number one on my list driven directly by business requirements. It will enable productivity by allowing secure access to information resources. One of, One of the things that we, as computer security professionals typically do wrong. A, we used the wrong language in describing what we're trying to do. B, maybe we're using the right language in the wrong way. So, if I walk into a, a group of my peers or executives and I start talking about this new initiative where we're going to protect these laptops that are unfortunately, flying off the shelves or out of our cars. And I start by saying well, what we need to do is prevent X, keep Y from happening and make sure that we absolutely stop Z. What the executive is hearing is, he is preventing stopping in all kinds of ways making stuff not happen. That's not their world. Their world is about making things happen. Their world is about making the needs of the business come first. And those business requirements happen in the smooth as possible way. So, when you chart, when you start out in negative terms. When you start out defining things that won't happen. And things that must not be. They're not hearing any of what you say. They're just hearing that you're a big preventer. Alright if when that's the case you're, you're not going to be able to make your case. So, you know a good policy is, is an enabler. Good policy says hey look a this we found a secure way to actually allow all you people out there to run around with your laptops like you always have. If we weren't able, what you are not seeing in this policy is if we weren't able to find that secure way, We'd be asking you for your laptops back because we can't have this keep happening, You know, let the firings begin. So. I think good policy is clear, and, and, and usually short. My customers. I, I develop a lot of policy for my customers. They're always surprised by how brief I typically make them. I'm, I'm always striving to make short statements that completely make sense to everybody that reads them, in terms of policy. When we start talking about the technical stuff, when we get into procedures, guidelines, and all that kind of stuff, then we can get into all the geeky technical stuff that must happen to make this policy work. But when it's about the policy, I've personally have never written a policy that was more than two pages long, about a specific thing. If you can't describe the thing you want to happen in two pages, you've, taken on the wrong thing, essentially. You, you, you're going about it the wrong way. You need to break it down a little bit further such that you can make simple policy statements that people understand. A corollary to that is it should be measurable. When I'm, when I'm talking about measurability here, I'm talking about the ability to measure compliance. Then we'll, we'll get into a lot of, more about that when I start talking about maturity models and, and how maturity models relate to policy but the simplest way to think of this is that if you have a policy, and you think that policy is in place, and the people understand it, and that it's actually doing what it's supposed to be doing. You don't actually know that unless you can actually measure compliance. Unless you can look at It's amazingly annoying. Unless you can actually look at this policy and how people are behaving in relationship to the policy and say, well this is how well the policy's doing. Or hey, the policy's not, you know? People either don't understand it, they don't know it. Or they do understand it and they know it and they're not complying. What's the number one reason that people don't comply to policy? Complexities is one. It's not the top of my list but it's, it's near the top. We weren't told it in the first place. Well now I've sure told it. In the back. [inaudible]. Inconvenience. That is the number one reason that people do not adhere to policy. And, that inconvenience typically I, interestingly enough, most of us wanna try to do our job. The inconvenience is typically related to, this policy makes it hard, impossible, difficult to do the thing that you hired me to do. So I am going to ignore it. So, you have to avoid all of that kind of mess. Good policy has to be enforceable. What we mean by enforcement is going to vary actually from company to company, organization to organization. But you have to actually have some way of saying you must accomplish this thing that we have asked you to do, or, there are consequences alright? The variability for that is, is industry variability. It's regulatory compliance variability. There's lots and lots of reasons that that's not the same for everybody. Number five on my list, And I invented a word for this. It's regulatorily correct." The spellchecker didnt like that. Obviously what I mean though is that policy itself must reflect any regulations that actually drive what your business must do. Raise your hand if you're in an industry that has no federal regulations regarding your security policy. Wow. I asked that exact same question about three years ago. And three-quarters of the class raised their hands. Until one by one I explained what, regulation, what federal agency cared about them. It's almost never been true, but it's certainly not true now. Hyppa. Gramm-Leach-Bliley. What's another, who haven't I got? Socks. Socks, of course, that's all of you that are public. Any other fun ones that I'm missing? Icar, ITAR, ITAR? . All of you Boeing people are e, expoing people. [inaudible] [laugh]. You took your laptop and left. [inaudible]. [laugh] So, okay, and again, the category of, of, of the list we are going through right now is elements of good policy, those were mine. What are yours? What else should good policy have? I listed everything. Yes. We did a review. Absolutely. Good policy, and actually good maturity in your policy, requires regular review. Yes. I was going to say accessibility. In other words, it's got to be, people have to be able to find it and read it. Accessibility is critical. The, the idea that you're going to generate a bunch of policy and you know, print it and then put it on a shelf for somebody to come and you know, at their leisure come and read is never going to happen. Beyond accessibility I would actually try to take up the next step and I'm not sure what they call this but essentially, mandatory accessibility. You have to make sure that people are exposed to your policy. You can't just make it available and say, look, you know what, we wrote 800 pages of policy and it's on this internal link to this web server. Please, everybody go read it. How many would? Everybody in this class would, of course, because you're directly involved and care a lot about these sorts of things but none of your peers would. You absolutely must make sure that they read it. Given that scenario, given the scenario of an internet server and you've made it available. Any ideas on how, how you would enforce that, or how you would assure? Yes. The agreements are on hiring and orientation. Orientation, new employee orientation is a good place to have people at least sign a piece of paper saying that they read the last 400 pages and they agreed to everything in it. Yes. In my company they put it on video and they track everyone who's viewed it. Once you've watched them all you get a little certificate of completion. It's not real but it's like tracked and if you don't do it they harass you and your manager until you do it. And, so, they have 90, over 99 compliance in people viewing the latest training on it. So. A technology company, they actually are tracking probably electronically whether or not you've clicked on the view this video link. They didn't track whether or not you walked away from your desk while you're. It's like. How many of, how many viewings actually started at eleven:5959. Nobody tracked that part? Yes, in the back, and then you. [inaudible]. We had a, for a sexual harassment training, we had to take some tests. We had to watch some videos on some website, and then take a test afterwards regarding each of these. And it went into quite a bit of time. It was spread out over, like, a couple weeks or something. Tests are fantastic. A fantastic way to assure that somebody's actually, not only read something, but understood it. Let me get back to that in a moment. Go ahead. [inaudible]. Our interactive training system. And it does have tests embedded in the viewing. So, unless you take somebody else's, which nobody's going to do, Right? And I know we have a lawyer in the room, who is it? [inaudible]. Ted's not here? No lawyer in the room. There's a very interesting thing going on right now in the sort of, click-through agreements, which is that. The courts are, and I wish it was here actually to correct me because I am sure I am wrong on this. But the courts are getting a little wishy washy on whether or not any of that is of any value. So, yes. [inaudible] because, just because somebody's indicated that they have put through a page or they've accepted that page does not ensure that, that content hasn't changed. So what have they accepted? And that's not necessarily a static thing. Agreed. Although even the static stuff. People are wondering whether or not it's reasonable to assume that you did actually read all twenty pages of legal mumbo jumbo before you clicked on the yes. I'm going to okay this because that means I can now use XP. Yes. I've researched this. It's less than zero, probably. 001.. People might, some people will possibly start to read it, and then they will scroll and see how long it is and give up. But no one, I've never seen anyone actually put in the effort to read it. And that's with someone watching them and them wanting to please me. [inaudible]. Huh? Who [inaudible]. Yeah, lawyers. Actually they read chunks of it. Maybe it's five or six of them and they all put it together, so none of them read the whole thing. That, and, there's, there's a few perverse people out there in the world, who actually, I, I think they're kind of, good examples of creative writing. And I read them because I, I'm amused by some of the stuff they put in there about the fact that you know they're not responsible with it, you know, if. Good example, Windows Vista, if Windows Vista explodes, and the parts fly throughout the room. Completely obliterate all life. Windows is and Microsoft is not responsible. Absolutely guaranteed. It's, it's definitely on like page 30. The whole explosion part. Isn't there something in here about the wind blows and the tree falls. That Microsoft isn't. Certainly not responsible. So, not very many people are like me. Not very many people actually think that's a muse in reading. They actually just page down as far as they can and click on the, it's okay button. Most amusing thing I think I ever saw in one of those was actually that somebody programmatically looked at how long it took between displaying the first page and you clicking on the Okay. And if it wasn't long enough. They just said, "Look, you didn't read that. Go back and try again." [laugh] I, I thought that was hilarious. But. And that's why testing, actually, starts as starts to around a little bit of this. I can't imagine what would happen if some of the longer click through agreements started asking okay, so, under limited liability. Were we a liable for any pet deaths in your family? [laugh] So these sorts of things are actually starting to, to change the way we look at stuff. I really, really like by the way new employee orientation and new employee agreements with tests. I'm starting to see places that actually implement. You must read all of this stuff, all of these policies, procedures and how do we do business and so on and so forth. And, sometime within the next couple of days your going to have to take a test on it, and pass or you're not an employee. So, Anything, any other by the way, all great elements of good policy. Yes? [inaudible]. Absolutely. You have to have something to back it up. If, I merely suggest to all of you that you don't take employee data, and willy-nilly, start flapping around the internet. And I'm not prepared to do anything about it if you do. The policy has no effect. It has, it has really no, no teeth. Yes. I think policy should be enforced at all levels of the organization. So senior management is responsible for living up to that policy as well as junior staff. We've had situations where political content, for instance, was sent through the email to employees regarding certain initiatives from senior management. And it was pointed out to them, you realize you just made a policy unenforceable. Yeah. [inaudible]. And then, that's actually. And, and who do, I won't even ask who you work for. A healthcare organization. A healthcare organization. [inaudible] That's what the issue is. Interesting. That, I see that a lot more in smaller organizations, you know, organizations of, of few 1000 people and less where the management of the organization is not used to having to kind of put up with this uniformity of policy enforcement. Larger organizations usually kind of get it. Not always. I mean there's. [inaudible]. Yeah, yeah. It's so, it is absolutely. It is very, very important that people realize that policy is enforced from the top to the bottom. In fact, it's you know, emanates from business requirements set by the people at the very top. So, if those business requirements dictated this policy. And they violate policy. Either the business requirements weren't accurate in the, in the first place. Or they're actually count, acting countered to the best interest of the company, or the organization.