Focus On Things That Matter

It sounds like there are good things coming out of the Infosec World conference. Just last week I and a co-worker had commiserated about too many security policies focusing on things people are not going to do anyway. So to pick your battles so you can stand your grounds seems pretty wise. Too much interference (that is what security is) exposes that no one is watching so people come to ignore anything security people have to say.

Infosec: Information security policies should focus on top-level goals – Computerworld

“By definition, policies are mandatory” and should only include items that absolutely must be complied with, said Charles Pask, managing director of ITSec Associates Ltd., a consultancy in Leicester, England. The specific standards and controls needed to comply with official policies should then be implemented as part of an overall risk assessment program, he said.