Common Sense Requires No Policy

As a Senior Information Security professional I am often asked if we should have a policy that requires our Business Community members to do “X”.  In many of these cases the person is asking for a policy to be written that says things like: Business Community members will adhere to the laws surrounding the safeguarding of regulated data or that Business Community members will not disclose a person’s private medical information to 3rd parties.   Now, when asked a question that consists of what people in common would agree on, such as do I really have to follow the federal and state laws while at work, I have to wonder why we would want to implement a policy to tell people to follow their common sense.  Really, shouldn’t a person’s common sense kick in and make them very aware that they are not allowed to break a law just because they are at work.

I am not saying we don’t need good solid security policies as I strongly believe that policies are absolutely necessary and required as a way to share with our community the behaviors expected of them in the protection of organizational data but these policies should:

  • Cover topics and areas that are “gray” and that without a policy would require people to guess at the right thing to do
  • Be written in such a manner that helps define what steps are necessary for our community members to show they are in  compliance and showing due diligence in meeting the intent of applicable laws
  • Be enforceable and worthy of being enforced

It is important for Business Community members to follow their common sense in fulfilling their every day duties and tasks, if they do so the courts have ruled that they are most likely not going to be held personally liable for security breaches or security issues that occur.  In the InfoSec field we call this safety net the principles of “due diligence” or being “prudent” both of which are just other ways of saying making reasonable and common sense decisions.   However, the courts have also ruled that failure to use common sense in the protection of data and the securing of an IT infrastructure is grounds for holding a person personally liable.

Companies are firing IT staff that have failed to use common sense decisions in the protection of data and securing the IT infrastructure they are responsible for.  This makes it critical that in areas where it is not clear what approach constitutes common sense we protect our Business Community members by having policies in place that provide Business Community members with clear and concise instructions on what actions and activities they should or should not be doing.  For example:  If State Law requires that we protect SSNs we do not need a policy that says we have to protect SSN, the law already says that, but we may need a policy that describes ways of protecting SSNs such as using disk or file encryption, using a different type of identifier, database encryption of the field which stores the SSN, not storing or using an SSN in places where it is really not necessary to do so, etcetera.

Said another way, we should write policies that help non-security Business Community members understand what the common sense ways of protecting and safeguarding  data look like.  That’s just good Common Sense.

© Kevin L. McLaughlin, probably cited re-use is acceptable

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax
This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s