The Security Policy Questionnaire Problem
10 Top Security Policies from the Knowledge Network
Prevent security breaches with a solid security plan.
Virtually everyone who cares about data security – CIOs, CISOs, security vendors – has told me that an company-wide security policy is the first step in risk management. The security policy is usually a collaborative effort – or should be, I'm told – of different entities within the organization, all of whom are in touch with sensitive data, regulations, compliance or legal issues.
But they don't often talk about how the information to create a security policy is gathered.
So it was with great interest that I read this article at the OCEG blog site, explaining how not to conduct security policy questionnaires. Don't use spreadsheets or word processing documents, which are inadequate. The article stated:
I have seen organizations with upwards of 40,000 spreadsheets collected for different risk and compliance issues (e.g., SOX, Basel II, Ethics), as control questionnaires are sent to nearly everyone in the organization. The questionnaires come back and the compliance team scratches their heads and says Now what? How do we manage and report on this data?
It gets worse . . . auditors and legal can step in and cry 'foul.' It is difficult to provide non-repudiation within spreadsheets in a scalable context. Basically, one can not go back and truly state that "this person answered this compliance (a legal process) on this date and time, and we know this is the original answer and it has not been modified." Spreadsheets do not have this level of authentication, access control and audit trail.
This makes perfect sense to me. I was asked once to review the results of a questionnaire put out to members of the security industry to see if I could make sense of it. It was done in a spreadsheet format, and was cumbersome to read. Single questions came back with a multitude of variations on a yes or no answer, and sometimes it was impossible to tell which way the respondent was leaning.
Better to find a policy questionnaire template that will allow for real controls, and as the blog post suggests, an audit trail. There are companies out there who can help create a template and programs that can provide the right platform for developing your security policy.