Policy of Truth

For those of us who do consulting, here are some great tips from Kevin Beaver, over at SearchSecurity.com ---

"If you develop and maintain sound security policies, plans and procedures, you win two-thirds of the compliance battle. Don't forget information security standards (types of security tests to perform, encryption required, permitted authentication systems, access levels and so on), IT frameworks (ISO 17799, COSO, etc.), and audit parameters (when, by whom, etc.) that are crucial to security management as well. Make it standard operating procedure to periodically check security policies, plans, procedures and standards for omissions, discrepancies, contradictions and overlap.

Also, develop your documentation at the highest level feasible so you can apply as many policies and procedures to as broad a range of regulations as possible. Having separate policies for each regulation is an exercise in futility. "

Documentation is a favorite hobby-horse of mine. It sometimes feels like I am the only person who understands that it is important to write everything down. And not just policies--- document your hardware, your software, your software licenses, your maintenance calls, your user interactions, everything, everything, everything. A simple Access database can make your life instantly easier not just when the regulators come calling, but the next time you need to know just what lived on that newly dead workstation in your remote clinic in Outer Innerstanniavilleburg.