Security Policy

Security Policies Rebooted

Matt Konda No Comments

Here’s a deep dark secret:  I don’t particularly like security policy.  I don’t always follow policy.  Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them?  Not to mention when one policy contradicts another.

Even at companies with very robust security programs that include policy, it is very common that I approach developers and they don’t understand their companies policy either – like for example what data they need to protect.  At a previous employer, we used to tease the folks that worked on PCI as having a “passion for compliance.”  That was not a compliment.  Policy came to sort of feel like a necessary evil at best.

Then I met and started to work with our CISO Rocio Baeza.  I didn’t know that I’d end up hiring her as an internal policy, governance and risk resource for Jemurai but I’m lucky I did.  Initially, we did policy because many of our clients that needed technical help also needed policies – some kind of rules to follow.

As we challenged Rocio to “get meta” on the problems with policy the way we try to “get meta” with the technical issues we see, she extended and then surpassed our expectations by developing an approach for Agile Governance.  She implemented policies for clients that were short, to the point, readable and in our collective judgment captured the important things they needed to think about even better than the policy “books” we saw.

Writing policy in layman’s terms, with a focus on simplicity, was something that wasn’t immediately easy to appreciate.  The shorter simple policy reads easily and doesn’t feel like it hurts the same way some policies do.  Its like the old quote from Blaise Pascal:

 “If I had more time, would have written a shorter letter.”

We worked hard to make it shorter.  Does that mean it doesn’t work?  On the contrary, we think it works even better.  In fact, it works so well that we captured the policy in a more digestible way so that people could get access to the policies without a whole consulting engagement.  You can now purchase the policy bundle, which includes the core policy, a license and a simple one page implementation guide right off of our website for less than an hour of a security pro’s time.  Check it out:  https://jemurai.com/product/general-security-policy-bundle/ and let us know what you think.

I Don’t Need A Security Policy…Right?

Keely Caldwell No Comments

By: Rocio Baeza

At some point, security policies will become an area that you will need to address in your company. If you are reading this, you are probably rummaging the internet for security policies. It’s likely that a client or investor is conducting some type of due diligence on your company and you’re looking to give them what they need so you can close the deal. Or maybe you’ve reached the line item in your business plan to tackle security. Regardless of the reason you’re here, we hope to provide you with more information to help you figure your next step.

Let’s start out with addressing some basic areas:

 

What is a security policy?

Security policies establish your company’s position on protecting data. If you’re in a regulated industry, this is likely “required” for you to stay in business. If you’re on the cutting edge of a new idea or product, you probably want to make sure that the valuable information you are creating is well-guarded. A security policy should be a document that captures your position on securing the data you process. The intended audience for the document are those employees (and/or contractors) that are helping you run your business.

 

When do you need a security policy?

The typical security professional will argue that you need a security policy as soon as you start to collect data. In the ideal world, yes, I too would agree with that position. However, let’s be realistic. Creating a company has many moving parts. You need to create an MVP (minimum viable product) before your business is able to generate revenue from customers or raise funding from investors. If you ask us, you need a security policy when your gut tells you that you need to address this.  Some of our customers find out they need a policy when they do their first big deal.

 

Our philosophy on policy …

We do policy differently than a lot of other security companies.  Many of our bigger customers have existing huge policy sets written by a legion of consultants that were actually copy and pasted from previous clients.  The policies don’t fit and they cost an arm and a leg to develop and maintain.

We aim to make policy simple.  If anyone on the team can’t understand it, it is not serving its purpose.  If it is more than a few pages, it is not serving its purpose because people won’t read it.

 

Where do you start?

Luckily, you have several options:

Option 1: Continue to run searches on Google for free security templates. Yes, there are many out there. Go on, go ahead and download the endless pages of Word documents. **Warning: You may need some eye drops after you’re done reading those documents.

Option 2: Find a big firm that charges a ton of money for their policy templates. It’s our experience that they tend to be heavy, super long, filled with jargon, and as a result will only fit with some heavy-duty customization.

Option 3: Try our policy bundle.  Our team of experts distilled the most important security policy into the simplest possible document.  We believe you will understand and be able to apply it out of the gate.

Jemurai Newsletter

Recent Comments