Today we've been working on a model policies concerning IoT and BYOD security.
We offer two distinct types of policy:
- Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority. These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).
- Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand. They are even more succinct - just a single side of paper.
Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish.
Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!
The policies will be delivered to NoticeBored subscribers in January's security awareness module, and are available to purchase either individually or as a suite from us. Contact me (Gary@isect.com) for details.