As a Senior Information Security professional I am often asked if we should have a policy that requires our Business Community members to do “X”. In many of these cases the person is asking for a policy to be written that says things like: Business Community members will adhere to the laws surrounding the safeguarding of regulated data or that Business Community members will not disclose a person’s private medical information to 3rd parties. Now, when asked a question that consists of what people in common would agree on, such as do I really have to follow the federal and state laws while at work, I have to wonder why we would want to implement a policy to tell people to follow their common sense. Really, shouldn’t a person’s common sense kick in and make them very aware that they are not allowed to break a law just because they are at work.
I am not saying we don’t need good solid security policies as I strongly believe that policies are absolutely necessary and required as a way to share with our community the behaviors expected of them in the protection of organizational data but these policies should:
- Cover topics and areas that are “gray” and that without a policy would require people to guess at the right thing to do
- Be written in such a manner that helps define what steps are necessary for our community members to show they are in compliance and showing due diligence in meeting the intent of applicable laws
- Be enforceable and worthy of being enforced
It is important for Business Community members to follow their common sense in fulfilling their every day duties and tasks, if they do so the courts have ruled that they are most likely not going to be held personally liable for security breaches or security issues that occur. In the InfoSec field we call this safety net the principles of “due diligence” or being “prudent” both of which are just other ways of saying making reasonable and common sense decisions. However, the courts have also ruled that failure to use common sense in the protection of data and the securing of an IT infrastructure is grounds for holding a person personally liable.
Companies are firing IT staff that have failed to use common sense decisions in the protection of data and securing the IT infrastructure they are responsible for. This makes it critical that in areas where it is not clear what approach constitutes common sense we protect our Business Community members by having policies in place that provide Business Community members with clear and concise instructions on what actions and activities they should or should not be doing. For example: If State Law requires that we protect SSNs we do not need a policy that says we have to protect SSN, the law already says that, but we may need a policy that describes ways of protecting SSNs such as using disk or file encryption, using a different type of identifier, database encryption of the field which stores the SSN, not storing or using an SSN in places where it is really not necessary to do so, etcetera.
Said another way, we should write policies that help non-security Business Community members understand what the common sense ways of protecting and safeguarding data look like. That’s just good Common Sense.
© Kevin L. McLaughlin, probably cited re-use is acceptable