ashumskiy - Fotolia


The dangers of using security policy templates in the enterprise

Among other drawbacks, using security policy templates can make compliance audits and breach assessments harder for enterprises. Expert Joseph Granneman explains why they're risky.

In the world of massive regulatory compliance requirements, we've all taken security policy templates and adopted...

them into the organizational policy manual. It seems like a quick fix to thicken up the policy manual and check that regulatory box. It has become big business to sell stacks of prebuilt Payment Card Industry (PCI) Data Security Standard, HIPAA or National Institute of Standards and Technology-compliant policies online. There may have even been times when these templated policies introduced helpful new concepts or ideas. Security policy templates can be very useful, but only if they are properly vetted.

The danger comes in when these templates are blindly adopted without any review. Organizations often purchase these security policy templates as a result of a HIPAA or PCI assessment where policies were a focus for remediation. These organizations may not have an information security person on staff, so they search online and purchase their policies to check the box on the remediation listing. This happens frequently in small to medium-sized businesses when performing compliance audits.

The risks facing organizations

The biggest risk to these organizations is adopting the policy, but not adopting the actual practice. For example, if the policy states that a password needs to be 12 characters long and complex, the organization must adopt this practice. If the practice isn't adopted, then an auditor that is called in during the next assessment or in a breach investigation will immediately be drawn to this disparity. The auditor will then begin to question all of the other policies in place, as doubt will be present about the integrity of the information security program. The organization makes the auditor's job easy by documenting its own noncompliance. This could lead to larger financial penalties in a breach investigation or to the loss of regulatory compliance in an assessment. In these cases, it is actually better for the organization to have no policies in place than to have policies that do not match actual practices.

The other potential issue with security policy templates is that they may not be clear and understandable to everyone who reads them. Many security policy templates are written as if they are intended only for people who have attended law school. They tend to be long-winded and use very formal language, as if they were contracts instead of policies. However, the best policies are those that are short and easily understandable for employees that may not have an information security background. Employees will not follow policies if they need a lawyer to interpret them.

Information security is still in its infancy from a program measurement and audit perspective. We still don't have an accurate method for determining the success or failure of an information security program. There have been many different metrics that CISOs have tried to use to demonstrate the success of their program. However, auditors that investigate information security programs during an assessment or after a breach will focus immediately on the information security policies and procedures and how well they were implemented and enforced.

In these cases, it is actually better for the organization to have no policies in place than to have policies that do not match actual practices.

Many compliance auditors are not technical, and will rely on automated scripts along with policy and procedure documentation for their assessments. Unmodified security policy templates could foster a negative impression of the information security program from the auditor's perspective, regardless of the level of technical security that has been implemented.

Security policy templates can be a real help in putting together an information security program. However, they need to be properly vetted, edited and customized to meet the specific requirements of your organization. Policies also need to match organizational practices and be written in plain language that is easily understood by employees. Compliance auditors will likely be basing a large portion of their opinion of the organization's information security program on its policies and procedures. Unedited templates could derail an otherwise successful compliance audit.

Next Steps

Learn about the Android security policies from which enterprises could benefit

Discover why device security requires policies and authentication

Check out some best practices for a security assessment

This was last published in January 2017

Dig Deeper on Security operations and management