--Originally published at (Not so) Random talk
Let’s play, let’s play, with allegories and fantasies.
Let’s play, let’s learn, about security policies.
The company becomes a kingdom,
The CEO becomes the queen.
But being who I am,
But being who you are
It can’t be any kingdom
And now you are in Wonderland.
“Off with the head!”
“Off with the head!”
Yells the Red Queen
For now you are under her rules.
You fell into the Rabbit Hole
You fell into Wonderland
And having been unannounced
The Queen seems to think the policies you’ve broken.
“The policies have not been broken”
“The policies have not been written”
“The policies are not even known”, is what you say
So you saved your neck for now.
Think the policies,
Write the policies,
And if the Queen is happy,
Your head shall go home on your shoulders.
Days and days you think,
Days and days you write,
For the policies that won’t be over specific,
And that will pass the test of time.
Security advice must be given,
Security protocols must be covered,
You think of common practices,
But without copying them for this are just for Wonderland.
Three common policies are known to you,
Three common policies are written.
Information, Privacy and Acceptable Use policies
For Wonderland are clearly written now.
The White Rabbit has taken them,
The White Rabbit will read them to the kingdom,
His trumpet will sound, and so he will say
“Hear all, hear all, the new policies are here”.
The Information policy designates
Who is responsible for information security matters,
The Information policy describes,
The role each member of the kingdom will play in information security.
The Queen is the authority in the creation of security standards,
The Queen is the authority for incident response,
But not it won’t
For now exceptions and violations are written.
Individuals’ data is collected,
Individuals’ data is stored
Individuals’ data is used
Written are the principles at the beginning,
Written is the type of information that will be collected next,
In another section you specified how the rulers will use the information
And at last come the choices and obligations of individuals under the policy.
Do’s and don’ts of how subjects will use the information systems,
Do’s and don’ts of the personal use of computing resources
Is what the White Rabbit reads
Of the Responsible Use Policy.
Principle of least privilege stating
the minimum set of permissions to do a job,
Principle of separation of duties
separating permissions for critical situations.
A Drink Me bottle it was,
An Eat Me cookie maybe,
What you took to escape,
In case of the Red Queen’s anger.
Crazy you aren’t to wait
For her reaction after listening the policies.
Crazy you are maybe
For reading this story of mine.
It might have been crazy
It might have been silly
But the security policies facts I’ve written
And hard is not to separate the fantasy.
With the claps I leave
With a bow I leave
Until the next time I write
Until the next time you come to read.