Security Policy

Turns Out Policy in Markdown in Github Works!

Matt Konda No Comments

I’ve seen policies from lots of companies big and small.  Generally, I’m a techie engineer so I don’t love policy.  I’ve also seen a fair number of companies that clearly don’t follow their policy.  I’ve also seen companies that get certifications like SOC2 and ISO that are meaningless because they systematically lie and their auditors (not us, we don’t do auditing) never check lots of basic things we see.  Sometimes the security teams at the companies aren’t lying, they just don’t even know the truth about their own company.  I get it, there’s all kinds of reasons we can’t always have nice things.

In response to that, we spent a few years at Jemurai trying to write minimal policies that people could understand and follow.  I even published a blog post last summer about it and we tried selling a minimal policy bundle off of our website.  It seemed like a good idea at the time.  I think the philosophy was generally sound in a pure sense.

The problem is, people use policy as a defense against auditors and without more explicit direction, you can’t say you have controls around a variety of things.  You don’t even know you need to know the answer to questions about data loss protection or mobile devices in your network.  Inevitably, sooner or later someone is going to run up against a SIG Lite or a more exhaustive partner checklist or some trigger that forces them to articulate a more complicated policy.

To update our position on this, while staying arms length from auditing and full on policy work in the future, we developed policies in Markdown and published them to our private Github repo.  They look nice and everybody can immediately see what the policies are and who changed them when.  We can also track approvals using pull requests.  For smaller tech companies this makes for a simple more digestible way to get, use and publish policy.  It keeps it in a relevant and accessible place.  We can share it with their security point of contact by letting them fork our policy in Github.  They can subscribe to updates and merge our new best practices in as they evolve.  So far, this seems to be a good direction.

 

Security Policies Rebooted

Matt Konda No Comments

Here’s a deep dark secret:  I don’t particularly like security policy.  I don’t always follow policy.  Goodness knows that with the 50-250 page policies I’ve seen, I didn’t even understand the whole policy at a legal level – and if you don’t understand them at a legal level can you really say you’re following them?  Not to mention when one policy contradicts another.

Even at companies with very robust security programs that include policy, it is very common that I approach developers and they don’t understand their companies policy either – like for example what data they need to protect.  At a previous employer, we used to tease the folks that worked on PCI as having a “passion for compliance.”  That was not a compliment.  Policy came to sort of feel like a necessary evil at best.

Then I met and started to work with our CISO Rocio Baeza.  I didn’t know that I’d end up hiring her as an internal policy, governance and risk resource for Jemurai but I’m lucky I did.  Initially, we did policy because many of our clients that needed technical help also needed policies – some kind of rules to follow.

As we challenged Rocio to “get meta” on the problems with policy the way we try to “get meta” with the technical issues we see, she extended and then surpassed our expectations by developing an approach for Agile Governance.  She implemented policies for clients that were short, to the point, readable and in our collective judgment captured the important things they needed to think about even better than the policy “books” we saw.

Writing policy in layman’s terms, with a focus on simplicity, was something that wasn’t immediately easy to appreciate.  The shorter simple policy reads easily and doesn’t feel like it hurts the same way some policies do.  Its like the old quote from Blaise Pascal:

 “If I had more time, would have written a shorter letter.”

We worked hard to make it shorter.  Does that mean it doesn’t work?  On the contrary, we think it works even better.  In fact, it works so well that we captured the policy in a more digestible way so that people could get access to the policies without a whole consulting engagement.  You can now purchase the policy bundle, which includes the core policy, a license and a simple one page implementation guide right off of our website for less than an hour of a security pro’s time.  Check it out:  https://jemurai.com/product/general-security-policy-bundle/ and let us know what you think.