CJ Cox 深入探讨了安全策略的制定与执行，强调其作为组织安全基石的重要性。他批评了冗长且不切实际的政策，指出许多政策形同虚设。文章提供了实用的方法论，包括如何从零开始构建策略，以及如何区分策略、程序、标准和指南。Cox 强调策略应简洁明了、易于理解和执行，并呼吁组织在资源有限的情况下，通过借鉴和共享资源来制定有效的安全策略。他建议将策略分为不同层级，并为每个层级创建相应的细则，以确保其可操作性和可衡量性，从而真正降低安全事件的发生率。

🛡️ **安全策略的根本性与挑战**：CJ Cox 强调安全策略是组织安全体系的基石，但现实中许多策略冗长、不切实际，形同虚设，导致用户不知情或不遵守。他批评了“尾巴摇狗”的现象，即不切实际的政策阻碍了实际的安全落地。对于资源有限的小型组织，制定有效策略更具挑战性，需要创新和协作。

📚 **资源获取与借鉴策略**：面对资源限制，Cox 鼓励组织“偷、借、参考”现有的安全策略资源，例如 SANS Policy Page 或 Charles Cresson Wood 的著作。他引用 Wood 的理念，强调策略应能平衡易用性、速度、灵活性和安全性等相互竞争的目标，并能够将复杂的考虑因素文档化，形成清晰可行的安全架构、需求和计划。

🧩 **策略构建的实用框架**：文章提出了一种“分而治之”的策略构建方法，将安全需求划分为不同的层级和“桶”（如系统安全、数据安全、账户管理、培训、人员安全、可接受使用、事件响应等）。为每个“桶”创建策略、标准、指南和程序，以保持简洁并逐步扩展，使得策略更易于理解和执行。

💡 **简洁明了的策略编写原则**：Cox 引用 Bob's Policium Concisium 的观点，强调策略应“简短、清晰、简洁”。他反对“愚蠢的一致性”，鼓励借鉴如《美国宪法》等简洁而有力的文档的精髓，确保策略既可强制执行又可衡量，避免因过于复杂而无人问津。

CJ Cox talks about the highs, lows, hows and why’s of security policy.
// Show Notes

Why are we doing this?

Do you hate your audience? GDPR was bad enough.
My Methodology

The Rant
Cross between Bob Cat Goldthwaite and Dennis Miller


Policy is the foundation to the foundation
Don’t we all just love Policy

If I’m going to do this, I’m going to do this right


Law and Policy 16th street mall
Bad Policy Gov’t 1,000s of pages, Shelf-ware

Don’t let the Tail Wag the Dog


The challenge of the small organization. We are all resource constrained. If not help the rest of us out eh?




Resources

Steal it, borrow it, sample it ,
SANS Policy page free 99
Charles Cresson Wood ver 10 $990 version 8 $9.00 cd 740 pages
From the book of Wood “He is noted for his ability to integrate competing objectives (like ease-of-use, speed, flexibility and security) in customized and practical compromises that are acceptable to all parties involved. Acknowledging that information security is multi-disciplinary, multi-departmental, and often multi-organizational, he is additionally noted for his ability to synthesize a large number of complex considerations and then to document these in security architectures, system security requirements, risk assessments, project plans, policy statements, and other clear and action-oriented documents.”
Articles
Surveys show policy reduces breach occurrence…19-46%…Full Policies 57-93% …




Nuts and Bolts

Policy Procedures, Standards, Guidelines what’s the difference

Divide and Conquer

Framework/Buckets
Keep it simple and grow it

Sample:

Layer 1

Systems Security
Data Security
Account Management
Passwords


Layer 2

Training
Personnel Security
Acceptable Usage


Layer 3

Incident Response
Assessment








For each box create policies, standards, guidelines, and procedures






Guidance

Bob’s Policium Concisium: Advice on Writing Security Policy “The great curse of comprehensive policy… is that they are only used when something goes wrong. The battle cry of “did you follow the policy?” is usually met with … the following response, “What policy?” [1]
Keep is short, clear, and concise.

A foolish consistency is the hobgoblin of little minds.
Remember the 10 Commandments…

How about the FAR?

The FAR $2.08 2,017 pages “The Federal Acquisition Regulation (FAR) contains the uniform policies and procedures for acquisitions by executive agencies of the federal government.”


Constitution of the US….
Are Policies enforceable?
Are they measurable?






Process

Set Priorities

Are you starting from Scratch?  What is really important—Look at your incident record
Management and User Buy in

Management is not stupid


User Group?  Management Leverage?  Buy in.  Get influence…if you don’t have influence…get it.  Until then keep it manageable.


Support
Stake in the ground
Format

Introduction

Purpose
Quick Definition


Scope