Why a Security Policy Is Necessary

Policies enable management to make a statement about the value of information to the business. A former employer of ours once thought that the only things of value to them were the product they manufactured and the revenue they generated. The computer systems simply were not that important. "Ah," we said, "but what if we suddenly lose the ability to bill for the product? How could we receive revenue? How could we make more product?" Suddenly, the security of the systems that processed billing information became very important. ^[2]

^[2] Telephone companies get this very well. When you place a call that crosses local access transport areas, there is a charge for that. The phone company's computer generates a call detail record (CDR). That CDR is a nugget of gold to the phone company, and preserving its integrity is the phone company's overarching goal. Actually completing your call is secondary. Phone companies are billing engines.

Policies can permit actions that would otherwise backfire. For instance, in many jurisdictions worldwide, it is illegal to monitor traffic. However, if you simply state in your policy that you are monitoring traffic, the law will be on your side, because often the laws permit monitoring if you have a policy declaring that you do. Note that it is rarely required that the persons being monitored are actually aware of this policy.

A policy is necessary to define what constitutes appropriate behavior. It is like a law in the sense that it codifies the generally accepted norm and provides guidelines for constituents to actually comply with that norm. A policy also provides the fundamental framework onto which you can apply processes, and, of course, technologies. As technologists, far too frequently we try to solve all problems with technology. The problem with that is that technology is a tool to achieve a solution, not a solution unto itself. The policy is what tells us the solution we want to achieve. After we have that goal, we can define the appropriate processes to achieve it, and only then can we create a technology solution to implement the processes. Finally, a policy provides foundation for prosecution or human resources action. You cannot terminate someone for misuse or endangerment of organizational resources unless you have previously codified that such behavior is unacceptable. You must have the policy in place to give you the ability to deal with transgressors.

However, none of these are really the main management driver behind policy. Management likes policies that provide management a shield. A policy largely is legal risk management; it is how senior management keeps the corporation protected from the legal wrongdoing of a few bad apples. Keep that in mind when dealing with senior management about policy issues.