skip to Main Content
Talk to a Security Expert Now: (800) 721-9177

Information Security Policies Without Technical Controls are Nothing!

Information Security policies without technical controls are not effective. Consider traffic laws such as speed limits. The ‘policy’ on the 101 freeway right by our office is that cars should go no faster than 65 miles/hour and trucks should go no faster than 55 miles/hour. Many people choose to drive at speeds over 80 miles/hour. The only technical control in this situation is the California Highway Patrol (CHP) who are in charge of enforcing the policy. They are out there, but there are far more drivers than officers. The same is often true in your business. If you create a policy and expect your employees to just follow it blindly, think again. If you expect to have your own internal CHP, I’d ask you to reconsider after thinking how most people feel about getting traffic tickets.

What’s the answer? Let’s look at another example from traffic.
A breathalyzer interlock is often required for people convicted of a DUI. These devices are a technical control that requires a driver to be sober before operating the vehicle. The policy, the driver must be sober, is enforced with a technical control, a breathalyzer interlock. How can we incorporate this idea with speed limits? Perhaps a more effective technical control would be if your car was knowledgeable about speed limits and would not be allowed to speed. This would meet with a great deal of resistance from the public with respect to privacy and civil rights, but in your own business, you have total control over the devices you own.

Your information security policies should be matched with technical controls.

Last, remember that communication is key. Your employees must understand the purpose of your policies for them to agree and be comfortable with them. They also must understand that the policies exist. It can be hard to believe, but most employees don’t fully understand what they’re allowed to do and not do at work. This I blame on the length of policies. Most policies are written as legal documents to protect the employer. Therefore, they are long and boring. However, I have a solution. Just as Creative Commons brought complex licensing to everyone by creating simple versions of licenses , your simple policies can effectively communicate with your employees. Please remember your employees when writing your policies.

This Post Has One Comment
  1. Let’s not forget that a good policy is one that is transparent to the end user, documented or not. It seems like the real issue here is understanding the purpose of the policy and developing a repeatable process to test and monitor its effectiveness. Unfortunately, the implementation and enforcement of all policies are not technical. In the case of the speed-limit control, we often rely on people rather than machines to enforce the policy, which is often considered an operational control rather than a technical one. However, technical controls are available in this case. Programming your car not to exceed the speed limit or using cameras may or may not ( be effective. Ultimately, good policy will always require understanding the real risks to your environment and developing creative ways to mitigate those risks that enable your business rather than paralyse it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top