Keeping It Simple

Of the two signs above, which one is the better statement of the rules for using the beach? There is no right answer. The one on the left is certainly the more comprehensive. However, there are several problems with lengthy, detailed rules; they are extremely difficult to draft, few people take the time to read them and it is unlikely that you can draft a rule for every situation (although the author of the sign on the left has certainly tried). More importantly, rules require resources and many businesses do not have the expertise or funds to maintain them over time. The result is, all too often, what you see in the picture below – a rule that has long since failed to serve its purpose. The “Exercise Caution” sign on the right is simple and to the point – use common sense. It clearly conveys a concept, but leaves the application of the rules up to the user. If the user understands the risks and is prudent in his or her actions, then “Exercise Caution” is a good rule. However, in the case of information security, many users are not familiar with the more complex and technical aspects of this area and require a detailed explanation of what is necessary for compliance. This is the conundrum we face with information security rules, whether they be enterprise level policies and standards or business level practices and procedures. What is the right level of detail for rule setting?

The answer lies in:

  • Training and awareness. If the employees in your business understand the risks, threats and vulnerabilities that confront your business and are trained in appropriate security practices to respond to them, the need for detailed rules diminishes significantly.
  • Automation. If the rules prove too complicated for users to understand, see if you can automate the security control so that the rules are transparent. For example, if an executive wants to use a USB flash memory device to store sensitive company documents, do not burden the executive with complicated rules for protecting the contents or difficult to use and understand technology such as encryption software where the user has to select each file and set a unique password. Instead, provide the executive with a flash memory device that has a fingerprint scanner built-in. The executive does not need to know that all data on the drive is automatically encrypted. All he or she needs to understand is that in order to store data on the USB device, they will need to have their finger scanned and input a PIN on the computer.
  • Understanding Your Audience. As discussed in the Policy Structure section, you also need to tailor your policy to meet your audience. If you are writing a policy for system administrators to guide them in implementing and maintaining firewalls, then the policies should be detailed and technical. If you are dealing with a fundamental IS concept (e.g. "Don't share your password"), keep it simple so all employees can understand their responsibility.

Above all, avoid a formalistic, unbending approach. Information security is an area of constant change. There are few hard and fast rules. If you do not create a policy environment that takes the need for flexibility and responsiveness into account, you may generate a rule like the the sign to the right. It is a speed limit sign on what was once a section of road below the Kilauea Volcano on the Island of Hawaii and is now covered by an immense lava flow.

©2009 ISRMC, LLC