Thursday, July 31, 2008

Security Policy Best Practices

We're taking on a new client, and their standards requirements are a bit beyond anything we've ever encountered.

I just finished going through a nearly-600 line spreadsheet answering questions about our network's physical and logical security controls. It also included questions about our in-place security policies and what was covered by them. Nothing in the questionnaire was a bad idea to have implemented, but the sum total was a bit overwhelming.

We do have a security policy; it's covered in a page or so of the employee handbook. It's implemented, as well, but beyond that, everything has been done according to a relatively "common sense" approach. To remedy this lack of standards, my boss and I are currently going through the SANS Institute's "Security Policy Project", and I've got to say, it's more overwhelming than the original spreadsheet.

We've accumulated about 15 documents that we think apply to our situation, and we're in the middle of revising them and customizing some of the technologies they cover to work for us. After they get drafted and approved, I get to implement them. I can't wait.

The hardest part will be a change in mindset for the users. I can't wait to see how the operations side responds to this. I suppose it's the price you have to play for running with the big dogs, so to speak.

Which brings me to my question. Does your company have a codified security policy? Do you ever do spot checks, or audits? Do you abide by the policy?

As always, I have anonymous comments enabled, so feel free to comment as such if you are worried about revealing too much about your network.