This is my personal blog where I will pontificate on any number of things adding to the great cacophany that is the World Wide Web. I have a wide variety of interests and intend to use this as a place more to get ideas out of my head, I really don’t expect to influence many people but simply share what I know, have learned, and feel about various topics whether it’s photography, information security, amateur radio, etc.
I’m still working out a long term solution to my blog. Trying to figure out critically essential things, like, do I put new entries at the top or the bottom? I’ll eventually figure something out since the current pandemic situation is causing a slow down even in my line of work.
Speaking of the pandemic, I’ve noticed that a lot of exceptions made to long-standing rules and laws. Amid quarantine, some states allowed bars and restaurants to serve liquor via delivery and take-out. Since the sale of distilled spirits in many places is tightly regulated, this is a massive exception to the standard rules. We’re also seeing that a lot in the way many companies are operating. Many companies are also finding creative ways to work in this ‘new normal’ by making exceptions to long-standing policies.
Something that I had started talking about with many of my clients before COVID-19 was on the horizon was to create an exception policy as part of their Information Security Management System. Many companies have some boilerplate statement in their policies along the line of:
“Exceptions to this policy must be granted in writing by <insert title here>.”
It’s pretty standard policy language passed down over the years. But many organizations rarely grant exceptions. It’s like this statement was put into the policies because it sounded like an excellent way to satisfy an auditor, but I digress.
But just as having a policy, and making sure people know about it, is having a procedure that is easy to follow. Requiring people to provide volumes of documentation to a committee that only meets on the third full moon on months following an equinox is NOT an effective way to manage exceptions. It needs to be SIMPLE! (I’ll write more on this topic later). The process should be as simple as, say, opening up a service desk ticket includes:
You do have a standard risk assessment methodology and established risk tolerance, right? I digress. Once the exception request is submitted, it can be approved or denied, and in using a ticketing system, you now have your needed documentation.
Removing the stigma of the security department or program is a roadblock to the business is hard. Once your organization understands policy exceptions are allowed and that there is a process to have them granted, it can start to remove the stigma and encourage cooperation.
I’ve been meaning to put a blog back together for quite some time but I’ve always found some sort of excuse. I need a better CMS theme, I need to learn this new static HTML framework, I need time to write, I need…, I need…, I need.
I was starting to fall for the toolbox fallacy:
The reality is that I didn’t NEED any of that, I just needed to put together what you’re reading here. Will it be ugly? YES! Unweildy after a while of writing this in a flat file? YES! It’s going to be as ugly as an Apache 1.x httpd.conf file. But that’s OK. And I’ll eventualy learn that new framework, or find that perfect CMS theme and move this and it will look nice, but not today, today I will just get started writing my new blog.