I noticed an interesting thing about security policies the last time I started in a new job. Every time I start with a new company I read the entire Security Policy. (It should be required reading for anyone in a security job for an organization, but I’m impressed that I usually end up becoming the “Security Policy Authority” after that exercise, just because nobody bothers going through it J). The impression is generally that a good set of security controls are in place. However, as  time passes, I start to see the exceptions, the new controls that are still being implemented, the legacy stuff that should have been retired but is still lingering around, etc. It always takes time to understand the gap between the policy and its current implementation.

After seeing that so many times, I wonder: why aren’t organizations monitoring the policy implementation? In fact, it should be one of their key metrics! You measure your policy against the threat landscape and your risk appetite, than check if that policy is in fact being enforced.

Unrealistic expectations about the implementation of the security policy are extremely common. The executive sees a document to be approved and signs it. It probably has the same feeling as Capt. Picard saying his famous “Engage!”. But after that, he doesn’t pay attention to the huge number of exceptions granted or just delegates that process, in such a way that what’s on paper ends up being  very far from what’s actually being done. An Internal Audit department might be able to help, but I’m not just making the point of verifying, I’m talking about actively monitoring it as a guidance metric. Audit usually doesn’t go that far. I’m also talking about benchmarking different Lines of Business and Technologies, in a way that a CISO would be able to understand where he’s getting more support from, who is resisting the implementation of the policy and even whether it makes more sense to drive investments to more enforcement or to deploy additional controls. I think some would call it an “actionable metric”.

I’m interested in hearing from people currently monitoring their security policy implementation level? How are you doing it? How are you using that data? Any tools being used (maybe GRC)?