I’ve been doing a lot of student grading for the Norwich MSIA program, along with a lot of communications with folks new to information security and privacy over the past several years. Policy cost versus policy value has been a frequently occurring topic throughout many of those conversations, and I just wanted to get it out of my mind and on the blog, perhaps to reference later…
Information security and privacy practitioners need to ensure the VALUE of the policies they establish is greater than the COST of the policies.
To make a long story short, the cost of your controls and procedures to support the policies should not be greater than the value of what you are protecting.
Cost includes not just the hard dollars you pay for hardware, software or other software, but it also includes the cost of resources such as time, personnel, training, and so on.
I’ve seen many organizations increase the COST of their policies exponentially because of how the policies were poorly, and almost infeasibly, worded, making compliance exceedingly costly as well as almost impossible to meet.
When creating your policies, choose your words wisely. Stay away from absolutes that do not allow for any exceptions to be approved by your area (or whatever the appropriate centralized area is), along with compensating controls. I have never to my recollection seen a policy for which there could never ever be an exception justifiably necessary for a valid, but rare, business situation.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, risk management, security awareness, security training