Does anyone ever consider how we actually follow policy? To think about the security and connectivity we have in what we do, to how it aligns to the policy in the workplace?

@synture as someone who spends a lot of time in policies. A lot. From my own experience, keep policies broad enough unless you have specific compliance mandates. Align your procedures to policies & compliance requirements (try not to do the other way around). Procedures are where you can get more detailed. You need some level of user acceptance or adoption will fail. Enact audit & corrective action to check that policies/procedures are followed. And you need management buy in for enforcement.

@synture Not nearly enough, especially in my previous job that had a significant overlap between the lists of things forbidden by the policy and my duties in server ops.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.