WEBVTT 00:00:00.000 --> 00:00:04.900 So, let's talk a little bit about elements of good policy. 00:00:07.300 --> 00:00:12.200 Number one on my list driven directly by business requirements. 00:00:13.580 --> 00:00:20.818 It will enable productivity by allowing secure access to information resources. 00:00:20.818 --> 00:00:25.555 One of, One of the things that we, as computer 00:00:25.555 --> 00:00:32.880 security professionals typically do wrong. A, we used the wrong language in 00:00:32.880 --> 00:00:39.859 describing what we're trying to do. B, maybe we're using the right language in 00:00:39.859 --> 00:00:44.754 the wrong way. So, if I walk into a, a group of my peers 00:00:44.754 --> 00:00:51.019 or executives and I start talking about this new initiative where we're going to 00:00:51.019 --> 00:00:55.035 protect these laptops that are unfortunately, flying off the shelves or 00:00:55.035 --> 00:00:59.554 out of our cars. And I start by saying well, what we need 00:00:59.554 --> 00:01:05.780 to do is prevent X, keep Y from happening and make sure that we absolutely stop Z. 00:01:07.680 --> 00:01:14.295 What the executive is hearing is, he is preventing stopping in all kinds of ways 00:01:14.295 --> 00:01:18.205 making stuff not happen. That's not their world. 00:01:18.205 --> 00:01:22.630 Their world is about making things happen. Their world is about making the needs of 00:01:22.630 --> 00:01:26.147 the business come first. And those business requirements happen in 00:01:26.147 --> 00:01:29.719 the smooth as possible way. So, when you chart, when you start out in 00:01:29.719 --> 00:01:32.650 negative terms. When you start out defining things that 00:01:32.650 --> 00:01:34.836 won't happen. And things that must not be. 00:01:34.836 --> 00:01:39.046 They're not hearing any of what you say. They're just hearing that you're a big 00:01:39.046 --> 00:01:42.620 preventer. Alright if when that's the case you're, 00:01:42.620 --> 00:01:45.263 you're not going to be able to make your case. 00:01:45.263 --> 00:01:46.929 So, you know a good policy is, is an enabler. 00:01:46.929 --> 00:01:51.583 Good policy says hey look a this we found a secure way to actually allow all you 00:01:51.583 --> 00:01:55.604 people out there to run around with your laptops like you always have. 00:01:55.604 --> 00:01:59.913 If we weren't able, what you are not seeing in this policy is if we weren't 00:01:59.913 --> 00:02:05.280 able to find that secure way, We'd be asking you for your laptops back 00:02:05.580 --> 00:02:11.800 because we can't have this keep happening, You know, let the firings begin. 00:02:12.560 --> 00:02:19.265 So. I think good policy is clear, and, and, 00:02:19.265 --> 00:02:22.548 and usually short. My customers. 00:02:22.548 --> 00:02:25.328 I, I develop a lot of policy for my customers. 00:02:25.328 --> 00:02:29.035 They're always surprised by how brief I typically make them. 00:02:29.035 --> 00:02:33.916 I'm, I'm always striving to make short statements that completely make sense to 00:02:33.916 --> 00:02:36.696 everybody that reads them, in terms of policy. 00:02:36.696 --> 00:02:41.391 When we start talking about the technical stuff, when we get into procedures, 00:02:41.391 --> 00:02:45.901 guidelines, and all that kind of stuff, then we can get into all the geeky 00:02:45.901 --> 00:02:49.484 technical stuff that must happen to make this policy work. 00:02:49.484 --> 00:02:54.700 But when it's about the policy, I've personally have never written a 00:02:54.700 --> 00:02:59.820 policy that was more than two pages long, about a specific thing. 00:03:00.160 --> 00:03:05.404 If you can't describe the thing you want to happen in two pages, you've, taken on 00:03:05.404 --> 00:03:09.862 the wrong thing, essentially. You, you, you're going about it the wrong 00:03:09.862 --> 00:03:12.681 way. You need to break it down a little bit 00:03:12.681 --> 00:03:17.860 further such that you can make simple policy statements that people understand. 00:03:18.180 --> 00:03:24.920 A corollary to that is it should be measurable. 00:03:25.700 --> 00:03:30.873 When I'm, when I'm talking about measurability here, I'm talking about the 00:03:30.873 --> 00:03:36.680 ability to measure compliance. Then we'll, we'll get into a lot of, more 00:03:36.680 --> 00:03:41.517 about that when I start talking about maturity models and, and how maturity 00:03:41.517 --> 00:03:47.278 models relate to policy but the simplest way to think of this is that if you have a 00:03:47.278 --> 00:03:51.481 policy, and you think that policy is in place, and the people understand it, and 00:03:51.481 --> 00:03:54.500 that it's actually doing what it's supposed to be doing. 00:03:54.860 --> 00:04:01.109 You don't actually know that unless you can actually measure compliance. 00:04:01.109 --> 00:04:09.244 Unless you can look at It's amazingly annoying. 00:04:09.437 --> 00:04:14.263 Unless you can actually look at this policy and how people are behaving in 00:04:14.263 --> 00:04:19.153 relationship to the policy and say, well this is how well the policy's doing. 00:04:19.153 --> 00:04:23.785 Or hey, the policy's not, you know? People either don't understand it, they 00:04:23.785 --> 00:04:27.389 don't know it. Or they do understand it and they know it 00:04:27.389 --> 00:04:31.700 and they're not complying. What's the number one reason that people 00:04:31.700 --> 00:04:35.691 don't comply to policy? Complexities is one. 00:04:35.691 --> 00:04:39.259 It's not the top of my list but it's, it's near the top. 00:04:39.454 --> 00:04:43.864 We weren't told it in the first place. Well now I've sure told it. 00:04:43.864 --> 00:04:45.616 In the back. [inaudible]. 00:04:45.810 --> 00:04:49.443 Inconvenience. That is the number one reason that people 00:04:49.443 --> 00:04:53.701 do not adhere to policy. And, that inconvenience typically I, 00:04:54.065 --> 00:04:57.460 interestingly enough, most of us wanna try to do our job. 00:04:58.460 --> 00:05:04.010 The inconvenience is typically related to, this policy makes it hard, impossible, 00:05:04.010 --> 00:05:07.523 difficult to do the thing that you hired me to do. 00:05:07.523 --> 00:05:14.660 So I am going to ignore it. So, you have to avoid all of that kind of 00:05:14.660 --> 00:05:21.842 mess. Good policy has to be enforceable. 00:05:24.600 --> 00:05:30.266 What we mean by enforcement is going to vary actually from company to company, 00:05:30.266 --> 00:05:35.424 organization to organization. But you have to actually have some way of 00:05:35.424 --> 00:05:41.235 saying you must accomplish this thing that we have asked you to do, or, there are 00:05:41.235 --> 00:05:48.435 consequences alright? The variability for that is, is industry 00:05:48.435 --> 00:05:51.831 variability. It's regulatory compliance variability. 00:05:51.831 --> 00:05:56.360 There's lots and lots of reasons that that's not the same for everybody. 00:05:58.520 --> 00:06:03.585 Number five on my list, And I invented a word for this. 00:06:03.585 --> 00:06:09.980 It's regulatorily correct." The spellchecker didnt like that. 00:06:10.240 --> 00:06:16.871 Obviously what I mean though is that policy itself must reflect any regulations 00:06:16.871 --> 00:06:20.920 that actually drive what your business must do. 00:06:21.540 --> 00:06:26.711 Raise your hand if you're in an industry that has no federal regulations regarding 00:06:26.711 --> 00:06:30.980 your security policy. Wow. 00:06:31.780 --> 00:06:36.177 I asked that exact same question about three years ago. 00:06:36.177 --> 00:06:40.045 And three-quarters of the class raised their hands. 00:06:40.045 --> 00:06:45.428 Until one by one I explained what, regulation, what federal agency cared 00:06:45.428 --> 00:06:49.295 about them. It's almost never been true, but it's 00:06:49.295 --> 00:06:57.320 certainly not true now. Hyppa. Gramm-Leach-Bliley. 00:07:00.183 --> 00:07:02.745 What's another, who haven't I got? Socks. 00:07:02.928 --> 00:07:05.980 Socks, of course, that's all of you that are public. 00:07:06.640 --> 00:07:17.300 Any other fun ones that I'm missing? Icar, ITAR, ITAR? . 00:07:18.017 --> 00:07:22.886 All of you Boeing people are e, expoing people. 00:07:23.733 --> 00:07:29.343 [inaudible] [laugh]. You took your laptop and left. 00:07:30.189 --> 00:07:35.069 [inaudible]. [laugh] So, okay, and again, the category 00:07:35.069 --> 00:07:41.090 of, of, of the list we are going through right now is elements of good policy, 00:07:41.090 --> 00:07:43.546 those were mine. What are yours? 00:07:43.546 --> 00:07:52.544 What else should good policy have? I listed everything. 00:07:52.544 --> 00:07:54.486 Yes. We did a review. 00:07:54.740 --> 00:07:59.215 Absolutely. Good policy, and actually good maturity in 00:07:59.215 --> 00:08:02.593 your policy, requires regular review. Yes. 00:08:02.846 --> 00:08:08.757 I was going to say accessibility. In other words, it's got to be, people 00:08:08.757 --> 00:08:14.500 have to be able to find it and read it. Accessibility is critical. 00:08:15.907 --> 00:08:21.322 The, the idea that you're going to generate a bunch of policy and you know, 00:08:21.322 --> 00:08:27.348 print it and then put it on a shelf for somebody to come and you know, at their 00:08:27.348 --> 00:08:31.161 leisure come and read is never going to happen. 00:08:31.161 --> 00:08:37.021 Beyond accessibility I would actually try to take up the next step and I'm not sure 00:08:37.021 --> 00:08:40.883 what they call this but essentially, mandatory accessibility. 00:08:40.883 --> 00:08:44.810 You have to make sure that people are exposed to your policy. 00:08:44.810 --> 00:08:50.088 You can't just make it available and say, look, you know what, we wrote 800 pages of 00:08:50.088 --> 00:08:53.757 policy and it's on this internal link to this web server. 00:08:53.757 --> 00:08:58.805 Please, everybody go read it. How many would? 00:08:58.805 --> 00:09:03.757 Everybody in this class would, of course, because you're directly involved and care 00:09:03.757 --> 00:09:08.084 a lot about these sorts of things but none of your peers would. 00:09:08.084 --> 00:09:11.850 You absolutely must make sure that they read it. 00:09:11.850 --> 00:09:18.125 Given that scenario, given the scenario of an internet server and you've made it 00:09:18.125 --> 00:09:21.757 available. Any ideas on how, how you would enforce 00:09:21.757 --> 00:09:24.197 that, or how you would assure? Yes. 00:09:24.401 --> 00:09:27.451 The agreements are on hiring and orientation. 00:09:27.655 --> 00:09:33.349 Orientation, new employee orientation is a good place to have people at least sign a 00:09:33.349 --> 00:09:38.434 piece of paper saying that they read the last 400 pages and they agreed to 00:09:38.434 --> 00:09:40.199 everything in it. Yes. 00:09:40.374 --> 00:09:45.228 In my company they put it on video and they track everyone who's viewed it. 00:09:45.228 --> 00:09:49.439 Once you've watched them all you get a little certificate of completion. 00:09:49.439 --> 00:09:54.352 It's not real but it's like tracked and if you don't do it they harass you and your 00:09:54.352 --> 00:09:58.504 manager until you do it. And, so, they have 90, over 99 compliance 00:09:58.504 --> 00:10:01.077 in people viewing the latest training on it. 00:10:01.253 --> 00:10:03.884 So. A technology company, they actually are 00:10:03.884 --> 00:10:08.563 tracking probably electronically whether or not you've clicked on the view this 00:10:08.563 --> 00:10:11.370 video link. They didn't track whether or not you 00:10:11.370 --> 00:10:14.720 walked away from your desk while you're. It's like. 00:10:14.720 --> 00:10:20.797 How many of, how many viewings actually started at eleven:5959. 00:10:20.802 --> 00:10:24.084 Nobody tracked that part? Yes, in the back, and then you. 00:10:24.266 --> 00:10:27.001 [inaudible]. We had a, for a sexual harassment 00:10:27.001 --> 00:10:31.317 training, we had to take some tests. We had to watch some videos on some 00:10:31.317 --> 00:10:35.207 website, and then take a test afterwards regarding each of these. 00:10:35.207 --> 00:10:39.704 And it went into quite a bit of time. It was spread out over, like, a couple 00:10:39.704 --> 00:10:42.257 weeks or something. Tests are fantastic. 00:10:42.257 --> 00:10:47.059 A fantastic way to assure that somebody's actually, not only read something, but 00:10:47.059 --> 00:10:50.639 understood it. Let me get back to that in a moment. 00:10:50.639 --> 00:10:52.318 Go ahead. [inaudible]. 00:10:52.318 --> 00:10:57.286 Our interactive training system. And it does have tests embedded in the 00:10:57.286 --> 00:11:00.715 viewing. So, unless you take somebody else's, which 00:11:00.715 --> 00:11:02.605 nobody's going to do, Right? 00:11:02.815 --> 00:11:06.313 And I know we have a lawyer in the room, who is it? 00:11:06.523 --> 00:11:08.623 [inaudible]. Ted's not here? 00:11:08.623 --> 00:11:13.101 No lawyer in the room. There's a very interesting thing going on 00:11:13.101 --> 00:11:17.790 right now in the sort of, click-through agreements, which is that. 00:11:17.790 --> 00:11:23.199 The courts are, and I wish it was here actually to correct me because I am sure I 00:11:23.199 --> 00:11:27.139 am wrong on this. But the courts are getting a little wishy 00:11:27.139 --> 00:11:30.612 washy on whether or not any of that is of any value. 00:11:30.612 --> 00:11:33.260 So, yes. [inaudible] because, just because 00:11:33.260 --> 00:11:38.105 somebody's indicated that they have put through a page or they've accepted that 00:11:38.105 --> 00:11:41.375 page does not ensure that, that content hasn't changed. 00:11:41.375 --> 00:11:45.554 So what have they accepted? And that's not necessarily a static thing. 00:11:45.736 --> 00:11:48.038 Agreed. Although even the static stuff. 00:11:48.038 --> 00:11:53.125 People are wondering whether or not it's reasonable to assume that you did actually 00:11:53.125 --> 00:11:57.546 read all twenty pages of legal mumbo jumbo before you clicked on the yes. 00:11:57.546 --> 00:12:01.120 I'm going to okay this because that means I can now use XP. 00:12:01.953 --> 00:12:03.762 Yes. I've researched this. 00:12:03.955 --> 00:12:08.282 It's less than zero, probably. 001.. People might, some people will 00:12:08.282 --> 00:12:13.385 possibly start to read it, and then they will scroll and see how long it is and 00:12:13.385 --> 00:12:16.097 give up. But no one, I've never seen anyone 00:12:16.097 --> 00:12:21.264 actually put in the effort to read it. And that's with someone watching them and 00:12:21.264 --> 00:12:23.912 them wanting to please me. [inaudible]. 00:12:24.106 --> 00:12:25.591 Huh? Who [inaudible]. 00:12:25.785 --> 00:12:28.885 Yeah, lawyers. Actually they read chunks of it. 00:12:28.885 --> 00:12:34.116 Maybe it's five or six of them and they all put it together, so none of them read 00:12:34.116 --> 00:12:37.659 the whole thing. That, and, there's, there's a few perverse 00:12:37.659 --> 00:12:42.300 people out there in the world, who actually, I, I think they're kind of, good 00:12:42.300 --> 00:12:47.860 examples of creative writing. And I read them because I, I'm amused by 00:12:47.860 --> 00:12:53.712 some of the stuff they put in there about the fact that you know they're not 00:12:53.712 --> 00:12:59.032 responsible with it, you know, if. Good example, Windows Vista, if Windows 00:12:59.032 --> 00:13:03.060 Vista explodes, and the parts fly throughout the room. 00:13:04.140 --> 00:13:10.638 Completely obliterate all life. Windows is and Microsoft is not 00:13:10.638 --> 00:13:12.676 responsible. Absolutely guaranteed. 00:13:12.676 --> 00:13:16.393 It's, it's definitely on like page 30. The whole explosion part. 00:13:16.573 --> 00:13:20.770 Isn't there something in here about the wind blows and the tree falls. 00:13:20.770 --> 00:13:23.768 That Microsoft isn't. Certainly not responsible. 00:13:23.948 --> 00:13:28.684 So, not very many people are like me. Not very many people actually think that's 00:13:28.684 --> 00:13:32.101 a muse in reading. They actually just page down as far as 00:13:32.101 --> 00:13:34.680 they can and click on the, it's okay button. 00:13:34.863 --> 00:13:39.830 Most amusing thing I think I ever saw in one of those was actually that somebody 00:13:39.830 --> 00:13:44.858 programmatically looked at how long it took between displaying the first page and 00:13:44.858 --> 00:13:48.170 you clicking on the Okay. And if it wasn't long enough. 00:13:48.170 --> 00:13:50.701 They just said, "Look, you didn't read that. 00:13:50.701 --> 00:13:57.628 Go back and try again." [laugh] I, I thought that was hilarious. 00:13:57.628 --> 00:14:01.685 But. And that's why testing, actually, starts 00:14:01.685 --> 00:14:07.880 as starts to around a little bit of this. I can't imagine what would happen if some 00:14:07.880 --> 00:14:14.076 of the longer click through agreements started asking okay, so, under limited 00:14:14.076 --> 00:14:19.621 liability. Were we a liable for any pet deaths in 00:14:19.621 --> 00:14:23.493 your family? [laugh] So these sorts of things are 00:14:23.493 --> 00:14:27.919 actually starting to, to change the way we look at stuff. 00:14:28.156 --> 00:14:34.241 I really, really like by the way new employee orientation and new employee 00:14:34.241 --> 00:14:39.316 agreements with tests. I'm starting to see places that actually 00:14:39.316 --> 00:14:42.293 implement. You must read all of this stuff, all of 00:14:42.293 --> 00:14:46.851 these policies, procedures and how do we do business and so on and so forth. 00:14:46.851 --> 00:14:51.590 And, sometime within the next couple of days your going to have to take a test on 00:14:51.590 --> 00:14:57.740 it, and pass or you're not an employee. So, 00:14:58.702 --> 00:15:03.883 Anything, any other by the way, all great elements of good policy. 00:15:03.883 --> 00:15:05.421 Yes? [inaudible]. 00:15:05.664 --> 00:15:09.874 Absolutely. You have to have something to back it up. 00:15:09.874 --> 00:15:15.702 If, I merely suggest to all of you that you don't take employee data, and 00:15:15.702 --> 00:15:19.507 willy-nilly, start flapping around the internet. 00:15:19.507 --> 00:15:23.960 And I'm not prepared to do anything about it if you do. 00:15:25.740 --> 00:15:29.762 The policy has no effect. It has, it has really no, no teeth. 00:15:29.762 --> 00:15:33.055 Yes. I think policy should be enforced at all 00:15:33.055 --> 00:15:37.647 levels of the organization. So senior management is responsible for 00:15:37.647 --> 00:15:41.005 living up to that policy as well as junior staff. 00:15:41.005 --> 00:15:46.145 We've had situations where political content, for instance, was sent through 00:15:46.145 --> 00:15:51.353 the email to employees regarding certain initiatives from senior management. 00:15:51.353 --> 00:15:55.876 And it was pointed out to them, you realize you just made a policy 00:15:55.876 --> 00:15:57.384 unenforceable. Yeah. 00:15:57.384 --> 00:15:59.920 [inaudible]. And then, that's actually. 00:16:00.829 --> 00:16:02.615 And, and who do, I won't even ask who you work for. 00:16:02.725 --> 00:16:04.730 A healthcare organization. A healthcare organization. 00:16:04.839 --> 00:16:09.520 [inaudible] That's what the issue is. Interesting. 00:16:10.060 --> 00:16:15.622 That, I see that a lot more in smaller organizations, you know, organizations of, 00:16:15.622 --> 00:16:21.398 of few 1000 people and less where the management of the organization is not used 00:16:21.398 --> 00:16:26.462 to having to kind of put up with this uniformity of policy enforcement. 00:16:26.462 --> 00:16:29.600 Larger organizations usually kind of get it. 00:16:30.086 --> 00:16:31.705 Not always. I mean there's. 00:16:31.892 --> 00:16:33.812 [inaudible]. Yeah, yeah. 00:16:33.812 --> 00:16:37.921 It's so, it is absolutely. It is very, very important that people 00:16:37.921 --> 00:16:41.770 realize that policy is enforced from the top to the bottom. 00:16:41.770 --> 00:16:46.923 In fact, it's you know, emanates from business requirements set by the people at 00:16:46.923 --> 00:16:49.989 the very top. So, if those business requirements 00:16:49.989 --> 00:16:52.924 dictated this policy. And they violate policy. 00:16:52.924 --> 00:16:57.882 Either the business requirements weren't accurate in the, in the first place. 00:16:57.882 --> 00:17:02.513 Or they're actually count, acting countered to the best interest of the 00:17:02.513 --> 00:17:04.340 company, or the organization.