Pitfall #2 of 100: Security Policies, Plans, and Procedures
Over the next year or so, we’ll be highlighting a different pitfall each week from the eBook Security Program Pitfalls and Prescription to Avoid Them, which was written by ASCENT’s co-founder & CISO, Bryon Miller. There are 100 pitfalls, so stay tuned for a different one each week.
This week, we’re highlighting “Pitfall #2 – Security Policies, Plans, and Procedures.” As many of you already know, security policies, plans, and procedures are key to the success of any security program. Without these critical foundational documents, there is no effective way to document control requirements or assign responsibility. Lack of accountability for the personnel responsible for the implementation and ongoing management of required security controls is also likely.
Additionally, if these documents are not effectively implemented, organizations will not be able to communicate the security program controls that have been implemented to any third party (e.g., customer, partner) or independent assessor (e.g., auditor, examiner, regulatory entity). Any assessment of the organization’s security program will be over before it starts without having these must-have documents in place.
So how many policies do you need (one versus one hundred)? The simple answer is neither. If you have just one security policy document, you will miss something. You will lose content due to trying to pack everything into a single document, or (more importantly) you will lose your audience before they even begin reading the policy when they realize how long it is. Keep in mind, not every security policy is applicable to all personnel.
To learn more about this pitfall, and 99 more, get the eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or, register for a demo of the ASECENT Security and Compliance Portal and get a free summary of the 100 Security Program Pitfalls eBook today.