6 myths about security policies

Friday, 4 October 2002, 10:39 AM EST

As a technical director in my company's corporate infosec department, I assumed I knew all I had to know about writing information security policies. After spending a lot of time in the past year as part of a team assigned to update and enhance our organization's policies, I can say without qualification that most of my assumptions were wrong.

My company (I can't tell you the name, because that would be against our information security policy) delivers services to the financial sector. Our original infosec policy was written back in the days of the dinosaurs--1995. It was a simpler time. We connected to our business partners over leased lines and knew who was on the other end. Our systems were isolated, aside from a dial-up here and there. The Internet was a fad--why would we ever connect our mission-critical networks to it?

Fast-forward to 2001. Our business partners now used value-added networks and the Internet to send us important stuff. E-mail had become as important as the telephone, and we were doing business on the Web. Our world had become more complex. Our policies were seriously in need of an update.

In the course of working on the new policies, I learned the truth about my assumptions, which I now call the "Six Myths of Infosecurity Policies."

[ Read more ]




Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //