fred avolio's musings

My editor at WatchGuard Technologies, Scott Pinzon, said in part, “Producing Your Corporate Security Policy” has drawn a phenomenal response. In its first few days, it has generated a 95% click-through rate … the highest rate in the shortest number of days [the marketing rep] has ever seen.”

Here is the executive summary: Network security experts agree that well-run corporations need a written security policy. The policy sets appropriate expectations regarding the use and administration of corporate IT assets. However, the conventional wisdom holds that composing and maintaining these documents bogs down in a morass of bureaucratic inefficiency and pointless wrangling, which never ends and produces nothing useful.

This paper lays out a common-sense approach to writing corporate security policies that makes them easier to draft, maintain, and enforce. Our “question and answer” approach requires no outside consultants. Instead, you can use your in-house knowledge and resources to yield a brief, usable, and — most importantly — understandable policy document, in a reasonable amount of time. To help you generate such a policy, this paper clears away some misconceptions about the purpose of network security; details the process of writing the policy; then explains how to keep refining the drafted policy. Find the complete 15 page paper at www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf.

It is aimed at small- to medium-sized enterprises. And I just realized, it says, “requires no outside consultants.” Steve Fallin, my collaborator, must have snuck that by me.