Information Security policies without technical controls are not effective. Consider traffic laws such as speed limits. The ‘policy’ on the 101 freeway right by our office is that cars should go no faster than 65 miles/hour and trucks should go no faster than 55 miles/hour. Many people choose to drive at speeds over 80 miles/hour. The only technical control in this situation is the California Highway Patrol (CHP) who are in charge of enforcing the policy. They are out there, but there are far more drivers than officers. The same is often true in your business. If you create a policy and expect your employees to just follow it blindly, think again. If you expect to have your own internal CHP, I’d ask you to reconsider after thinking how most people feel about getting traffic tickets.
What’s the answer? Let’s look at another example from traffic.
A breathalyzer interlock is often required for people convicted of a DUI. These devices are a technical control that requires a driver to be sober before operating the vehicle. The policy, the driver must be sober, is enforced with a technical control, a breathalyzer interlock. How can we incorporate this idea with speed limits? Perhaps a more effective technical control would be if your car was knowledgeable about speed limits and would not be allowed to speed. This would meet with a great deal of resistance from the public with respect to privacy and civil rights, but in your own business, you have total control over the devices you own.
Your information security policies should be matched with technical controls.
Last, remember that communication is key. Your employees must understand the purpose of your policies for them to agree and be comfortable with them. They also must understand that the policies exist. It can be hard to believe, but most employees don’t fully understand what they’re allowed to do and not do at work. This I blame on the length of policies. Most policies are written as legal documents to protect the employer. Therefore, they are long and boring. However, I have a solution. Just as Creative Commons brought complex licensing to everyone by creating simple versions of licenses , your simple policies can effectively communicate with your employees. Please remember your employees when writing your policies.