Policy Creation: Ask the Right Questions

By: Absolute Team | 12/23/2008

RSA's Meena Raju asks if "you are scared of the word policy," in a blog post about Asking the Right Questions When Implementing a Data Loss Prevention Policy. I think that's a fantastic way to bridge into this topic. Scared is exactly the word. Individuals and companies are scared of putting together a policy on something that seems as complicated as security. Particularly since whatever is 'set down on paper' becomes an actionable set of guidelines. What if it misses areas? What if it's confusing? What if it is an accurate policy, but one that's 'wrong' for your company?

The RSA team put together a series of best practices when considering a data loss prevention (DLP) policy.

What is the data that you want to protect? And how should you protect it? Sounds simple, right? As our customers find, there are many more questions that need to be asked upfront.

Some of the questions that RSA suggests asking are:

  1. Who is the policy going to apply to and how does it impact them?
  2. What type of information are you trying to protect?
  3. Why are you protecting it?
  4. Where should you protect it? Is data in motion or in a datacenter? Is it being used at endpoints? Strategize which information state needs protecting first.
  5. When should you trigger a violation?
  6. How should you protect the information? Audits, encryption, blocking, etc. Choices should be made depending on the type of information.

As Meena notes, "policy" isn't a bad word or a word to be scared of. "Be smart and be strategic and you’ll love your policies."

Stay tuned to our Security Policy category for tips on how to create effective security policies, as well as relevant studies or facts on the topic.

Financial Services