Resources for Federal Information Security Management Act (FISMA)

Five basic mistakes of security policy

www.computerworld.com

As security policy mistakes go, this is a big one and can range in practice from not having any policy to only having an "implied policy" -- one that is informally discussed by management, but not written down or distributed to anyone.

Not only does this careless approach leave a security weakness and create legal liability, but it might also be in violation of regulations that explicitly mandate a properly written and disseminated security policy. (See my previous article, "Security Policy in the Age of Compliance," for the discussion of this.)

Of course, as soon as a policy is formally created, companies often discover that a large portion of their systems actually violate it. This isn't surprising, since it indicates that the policy was not developed solely around current standards of IT operations. This means that, in addition to a security policy, companies also must document the deficiencies in their current systems, analyze the risks, and assess the costs of remediation of those deficiencies to bring them into compliance with the new policy.

View the Resource

Share or bookmarklet this web page at: