I have been working on documenting how information securities should be written and implemented. The gist of it is:

Only write a policy when there is a real need to do so. When a policy is written, keep it as short as possible. Make sure that any requirements identified in the policy can be monitored and enforce compliance. Always make sure that implementing a policy does not prevent necessary work from getting done, or incur unreasonably high costs. For this reason, all policies should identify if deviation of the policy is permissible and if so, which role may authorized these deviations.


When I sent out the full document for review, one of my coworkers come up with the following gem:

"As XXX can attest, the sysadmins have been looking forward to the time when some policies might be implemented, though I would say that we envisioned policies that applied to the user community, rather than ourselves " I thought that was pretty funny :-)

And on a totally unrelated note: SANS just published their new SANS Top-20 2007 Security Risks (2007 Annual Update) report. I am sure that many other bloggers will comment on it, so I will refrain from doing so. For example, terminal23 blog was the first one that I read.