Computerworld’s Anton Chuvakin lists “Five basic mistakes of security policy: The essentials can trip you up”. A security policy, whose purpose is to protect, define and minimize risk, is vitally important to organizations of all sizes. The creation of, and dissemination of, said policy is mandated by many corporate regulations. But, mistakes are made in the process that can have costly repercussions.

The 5 basic mistakes:

1. Not having a policy (at all, or if it’s only implied) - After a policy is created, document any deficiencies in current IT systems, analyze risks, assess the costs and get them up to compliance with the new policy.
2. Not updating the security policy - IT security threats are always evolving, so your policy should too. Update as your company network and business processes evolve.
3. Not tracking compliance with the security policy - If you don’t enforce your policy at all levels, it’s just a piece of paper. Make sure everyone knows about it, that awareness training is conducted regularly, and that activity monitoring is ongoing.
4. Having a “tech only” policy - As we’ve also noted before, people are as much of the problem as technology. The policy should cover people, process, and technology. Looking at log data of system and user activity is a good way to monitor compliance.
5. Having a policy that is large and unwieldy - Employees at all levels of the organization must understand it - a document too strict or too legally written will result in non-compliance.

What other mistakes do you think companies make with their security policies?

Image credit: Tags: security policy, security policies, it security, business security, security, data security, compliance