Last week we discussed the basics of a security policy. Today I want to go a little more in depth and discuss the need for a security policy.
Do I need a security policy?Of course you know what my answer is going to be. Now you might respond with: But we are a small business, not an enterprise... or, But I am just a one-person shop... or Well you are in state government, Jason, I just make web sites for Mom & Pop... Too any of those responses I will direct you to my short list of reasons that a security policy is important for all.
- In a large business, federal or state government, or any other "enterprisey" environment, a security policy of some sort is probably going to be expected. Whether for legal reason, accountability reasons, or because bureaucrats like paperwork, you are probably going to need to do it. But this should be seen as a positive, because security is good. Consider the following reasons as well.
- In any size web development shop a security policy can ensure that everyone is on the same page. It can help maintain consistency across the entire application to ensure that the same levels of quality and control exist for each part of the application.
- Even in the smallest of web development shops having a security policy can help ensure that security is part of the application's life-cycle from the very begin instead of making security an afterthought (which probably happens too often, right?)
- If nothing else, having a security policy will help demonstrate due diligence in planning for the security of the application should the application ever be hacked and the client decides to take action. Whether is in a court of law, or internally within the company, by having a security policy you may be able to demonstrate that the hack happened outside of the scope of the agreed upon policy and that it was beyond your control with the given resources.
This is not to say that it is a "get-out-of-jail-free card" for a stupid mistake, but if a hack occurs that really could not have been prevented without additional resources that were decided (in prior planning) were not reasonable, then you have that documented and it could save your job or your bacon.
So those are my reasons for the need for a security policy. If you have more, I'd love to hear about them in the comments.