As a technical director in my company's corporate infosec department, I assumed I knew all I had to know about writing information security policies. After spending a lot of time in the past year as part of a team assigned to update and enhance our organization's policies, I can say without qualification that most of my assumptions were wrong.

My company (I can't tell you the name, because that would be against our information security policy) delivers services to the financial sector. Our original infosec policy was written back in the days of the dinosaurs--1995. It was a simpler time. We connected to our business partners over leased lines and knew who was on the other end. Our systems were isolated, aside from a dial-up here and there. The Internet was a fad--why would we ever connect our mission-critical networks to it?

Fast-forward to 2001. Our business partners now used value-added networks and the Internet to send us important stuff. E-mail had become as important as the telephone, and we were doing business on the Web. Our world had become more complex. Our policies were seriously in need of an update.

In the course of working on the new policies, I learned the truth about my assumptions, which I now call the "Six Myths of Infosecurity Policies."

[ Read more ]