Picking up on the thread from my last post I found this article on Computer Weekly.
Technical controls certainly have a relevant role in information security, but all forms of controls are liable to fail unless the organisation has a clearly-written regularly-voiced policy that is communicated in a language that the employees will understand.
Well, yeah. I had an opportunity to meet with yet another company last month. They said that they had a great set of policies and that they had covered all the bases. OK, great. When was the last review of the policies? Blank looks from around the room. Hmm, not good. So, who can tell me what is the company’s internet usage policy.
“We have one that was written in 1998” was the response. Yet no one could tell what was in the policy. You could have the greatest set of policies ever written. But, if the employees don’t know what they are then they aren’t worth squat.
[tags]Information Security Policy, Infosec, Policy Enforcement[/tags]