Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Practical working Security Policies

Effective working policies are a very difficult thing to achieve, whether they are security policies, or any other policies. We've all seen them in our own organisations, employment policies contradict security policies, or ethical policies contradict investment policies, etc. etc.

The school our children attend has a Health Eating policy, and considers itself a Healthy School, my children have reported to me that staff (teaching or lunchtime supervisors) have been known to take chocolate from children because the school has previously sent out notices stating that children are not permitted such things.

All sounds good, but what about other practices, well, not so good. In the mornings children are permitted to buy toasts at the school, and on the toast they can have just butter or jam. When I asked a staff member about this inconsistency, his answer was that they wanted to offer a choice to children. So it seems that the school valued a choice when it came to selling jam on toast, but not when it came to choosing to have chocolate, crisps, and other accompaniments to a sandwich lunch.

It seems that the school hadn't quite thought this one through, and this isn't the only example in that school, or indeed any organisation that has policies. The problem with a school environment is that children aren't able to see the inconsistencies themselves, adults however would most likely complain if they notice inconsistencies, or would they?

Without putting ideas in your minds, I would be very interested in hearing from anyone anonymously (or otherwise) with examples that they have noticed during their adult working life of security policies that contradict working practice of other policies. The purpose of this isn't to name and shame any company, but to draw up a list of the most common areas of inconsistencies that security people find it hard to get right in their organisations. On that basis, policies which have been fixed are also useful to hear about.

Next year I will provide an article and a presentation of my findings to offer good practice advice on policy conflicts.

What’s Hot on Infosecurity Magazine?