Tanya

Jack Rhysider· Host0:00

Hey, this is Jack, host of the show. For a while, I worked at a big company doing security engineering, and every year someone would come in and do an audit on us, and they would ask us the same question: "Do you have a security policy?" "Yes, of course we do." "Is it available for all of your employees to find?" "Yep. It's right there on SharePoint." But this got me thinking. Yeah, sure, it was right there in SharePoint, but it was called something ridiculous like ISP_Overview or something like that. And ISP stood for Information Security Policy. And it made me wonder, if this document was so important that we would be audited to check to see if we had it and make sure all our employees had access to it, could any of them actually find it if they needed it? Like, this policy said stuff like, what are our security objectives, who are the people that we escalate things to, what's acceptable in our network and not, who should be able to access what, as well as what we should do when there's an incident, how often our security training should be, and what our security standards are. So one day when I was feeling feisty, I decided to do something to make a point. I asked everyone on shift at our network operations center, "Hey, you have 15 minutes to find the company's security policy. Winner gets a free item in the vending machine. Go." And everyone started looking. First they typed "security policy" in our department's portal, and that actually brought up security policies for some of our customers, which I thought was really cool that our customers were taking their security policy so seriously