The Best IT Security Policies Reflect the Value of Simplicity
90 percent of what we do to help people get better security is focusing on straight-forward common sense and having consistent policies and procedures.
To be good at what we do, we always work to make things as simple as possible for our customers because we recognize human behavior, and it is so much easier to remember and do simple things.
People often think of IT security as lots of mathematics and ones and zeroes, but human psychology is an equally important part of the field. Processes and procedures that take human behavior into account are always going to be much more effective.
We often see organizations that have security policies that are very long, intricate documents that need to be read and reread and reread to understand and remember. A shorter, more concise document is better. Even better, the best policies are ones that are enforced through software or hardware so they do not have to be remembered. Here are a couple of examples.
Think about security passwords. We all know that complex passwords (case sensitive, allowing special characters, etc.) are more secure and should be changed on a regular basis (depending on the business requirements, perhaps every six months). But who remembers to do that or really wants to do that on their own? Software is available to help employees manage these changes automatically, rather than requiring them to do it by themselves.
USB drives are a leading cause of viruses and malware – but people use them anyway. The solution? Software that automatically scans all devices prior to use. The result is the best of both worlds, simplicity and security, a combination of benefits we strive for.
When it comes to IT security, the bottom line is that simple and straight-forward is smart.

Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.