Week 10: Avoiding Security Control Creep
During class discussion this week, one of my peers mentioned that their company seemed to be in an ever-increasing spiral of thousands of applicable security controls. As information security professionals, we often focus on complying with industry best practices to the greatest degree practical, but we need to keep ourselves grounded in the truth that policies are only useful when they are widely understood. Even if the information security department has a strong understanding of the controls in use, it is an uphill climb to effectively educate the rest of the organization. For example, project managers are responsible for bringing some sort of change with each project, and if they cannot understand the applicable security policies then it is very possible that they could end up introducing a vulnerability that the policy should have handled. This same risk extends to the user base: if they don’t have a clear understanding of the security policy, then their behavior won’t be cons...