This isn’t so much a “how to” as a “how not to”. There are good ways and bad ways to do things in your job. The folks at SANS have a list of things to avoid so as to not suck out loud at your job.
Enjoy.
From SANS Internet Storm Center:
Security Policy and Compliance
- Ignore regulatory compliance requirements.
- Assume the users will read the security policy because you’ve asked them to.
- Use security templates without customizing them.
- Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
- Create security policies you cannot enforce.
- Enforce policies that are not properly approved.
- Blindly follow compliance requirements without creating overall security architecture.
- Create a security policy just to mark a checkbox.
- Pay someone to write your security policy without any knowledge of your business or processes.
- Translate policies in a multi-language environment without consistent meaning across the languages.
- Make sure none of the employees finds the policies.
- Assume that if the policies worked for you last year, they’ll be valid for the next year.
- Assume that being compliant means you’re secure.
- Assume that policies don’t apply to executives.
- Hide from the auditors.
Nothing was said about avoiding bedazzler related jacket disasters.
🙂
For the full list read on.