The Security Policy Questionnaire Problem

 

By  Sue Poremba | Oct 7, 2010
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

 

Slide Show

10 Top Security Policies from the Knowledge Network

Prevent security breaches with a solid security plan.

Virtually everyone who cares about data security – CIOs, CISOs, security vendors – has told me that an company-wide security policy is the first step in risk management.  The security policy is usually a collaborative effort – or should be, I'm told – of different entities within the organization, all of whom are in touch with sensitive data, regulations, compliance or legal issues. 

But they don't often talk about how the information to create a security policy is gathered. 

So it was with great interest that I read this article at the OCEG blog site, explaining how not to conduct security policy questionnaires.  Don't use spreadsheets or word processing documents, which are inadequate.  The article stated:

I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?

It gets worse . . . auditors and legal can step in and cry 'foul.' It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that "this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified." Spreadsheets do not have this level of authentication, access control and audit trail.

This makes perfect sense to me.  I was asked once to review the results of a questionnaire put out to members of the security industry to see if I could make sense of it.  It was done in a spreadsheet format, and was cumbersome to read.  Single questions came back with a  multitude of variations on a yes or no answer, and sometimes it was impossible to tell which way the respondent was leaning. 

Better to find a policy questionnaire template that will allow for real controls, and as the blog post suggests, an audit trail.  There are companies out there who can help create a template and programs that can provide the right platform for developing your security policy.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >