SEC Provides Lessons Learned on Policies and Porn

A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.

Good for Teri Robinson… who wrote the article!!

However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility.  Teri suggested the following steps:

• Review existing policy
• Social media guidelines should be included and should be specific
• Assign responsibility because policies are more easily adopted if someone is in charge
• Train, train, train as threats change so do policies so regular training is needed
• Enforce the rules
• Ramp up resources with technology and staffing

I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.

I sort of agree with Assigning Responsibility and Train, Train, Train…

I disagree with Ramping Up Resources and Staffing Up.

Based on lessons learned, the following steps are also needed:

• Accountability at the Individual Level
• Documentation of Individual Acknowledgements
• Situational Awareness and Case Studies that relate to organization specific policies
• Incident Reporting and Incident Management Tools for Assessment/Prevention Teams

And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.

Now if we could just get federal agencies to start using “tractors” instead of “old horses”…