Then, just as it's all beginning to make some sense... it's time to re-draft your security policies.
Of course work like guarantees that policy writing consultants can make their monthly mortgage payments, but it does seem like a lot of effort. Therefore, I've been doing some of my own research into what would be the best way to write a security policy that would withstand the test of time.
After spending many hours researching the best authors on the planet, I finally found the answer in Divine texts. Yes, you see, Holy books have been around for centuries and act as a policy, guiding its followers towards the truth. For one to truly make the ultimate security policy, one must follow the logic such as is used in the Bible.
Follow these simple steps to make your own physical manifestation of your company's security word!
Rule one: Paradoxes
The only way your policy can be successful is if it cannot be disproved. The only way to make sure this can't happen is to build a few logical dead ends. By suggesting that your CISO is always right, you get people pointing at hackers and environmentalists. You should instead say that your company is always going to test their employees. Have your CISO always answer questions with a question.
Rule Two: Make Up Rules
No policy is complete without a list of rules that cannot be broken under penalty of disciplinary. The wackier the rule, the more that people will believe that there is some security inspiration for it.
Thou shalt not think
Thou shalt not display thou badge in communal areas
Thou shalt not wear of metal the hat unless in negotiations for your company
Use the mouse only of the right hand
Thou shall recycle brown glass in confidential bins
Thou shalt not update thee twitter or facebook
If you are having trouble thinking of rules, just think of the things you really like to do and forbid people from doing them
Rule Three: Make your Policy Big and Thick and Old Looking
No one believes in something that looks like it came right off a printing press or that's on a PDF file. Only print hard copies of your policy ensuring it is brownish with a slight mouldy smell. Your policy should also be extremely thick. Your CISOs words will be much more believable if they are hand written in script. You can also make the last 2000 pages blank and tell your employees that once they are true security representatives that the text will become legible. Sit back and wait to hear what stuff the true security representatives come up with in security's name.
Rule Four: Your CISO kicks Other CISOs Asses
I would highly suggest including passages where your CISO takes out rival organisations CISOs in a bar fight or gun battle. Describe other CISOs as pansies or misguided security officers that quit your CISOs team once they found out they couldn't make partner. Make sure that he doesn't destroy all of the CISOs, just roughs them up a bit. OK, he can kill all but one of them, so that weak, fake CISO can go back and tell everyone what a bad ass your CISO is.
Rule Five: Give Awesome Heavenly Incentives
Why should hard working employees follow all security requirements all year round for little or no recognition or reward? Promise incentives such as unlimited chocolates, the best laptops, personal office and 100% pay rises.
Rule Six: Create a lot of loopholes
Hacking is bad. Hacking in the name of your organisation is GOOD!
It is forbidden to kill... everyone but non-employees.
You cannot share passwords... unless it is the third Wednesday after the second Tuesday.
It's OK if your story has a lot of holes in it. 500 years from now, they'll just say that some of the documentation is missing and that your CISO is infallible and this is a test.
This article first appeared on www.infoseccynic.com