Home > Information Security, Rants > Random Thought: We Should Not Tolerate Zero Tolerance

Random Thought: We Should Not Tolerate Zero Tolerance

October 14th, 2009

spork-sul-lSo I was, as usual, inspired by everyday events and news to relate to the infosec community. In its own way, so many of the things we encounter day-to-day have parallels in our security community…but I digress. The topic of the day is “zero tolerance” policies. I recently read an article about a nice young man named Zachary Christie. He’s a good student, learning karate, and a Cub Scout. He’s also a criminal. Well, at least in the eyes of his school system. Why? He had the AUDACITY to bring a fork/spoon/knife camping utensil to school to use at lunch and show his classmates. Zachary, incidentally, is 6 years old. SIX.

I could understand a gentle reprimand. The ol’ “We have a policy here” talk. But Zachary didn’t get that. Nope, this hardcore 6-year old got suspended for 45 days! With the last week in solitary confinement for shanking a fellow inma…errrr, student! OK, I’m kidding about the last part. But the point should be clear – 45 days for this offense is actually punishing the student (very excessively), the parents (who will have to accommodate him with work schedules), and any rational, thinking person in the USA. That’s right, we’re all being punished because this makes us realize just how stupid we can be. And that hurts.

So. What about infosec? Well, we infosec people are policy creators and enforcers. Influencers, too, in many cases, but that’s less relevant here. I’ve had some really interesting conversations in the past with SANS students and Advisory Board members on this same topic. Some are all for draconian policies. Yaaar, matey, walk the plank! Others take a less heavy-handed approach. Which is right? Well, in my opinion (and we all know what THAT means), there are a few policy areas where we must be 100% black and white:

  • Theft or intentional mishandling of sensitive data (PII, Trade Secrets, etc).
  • Possession of child pornography.
  • Intentional hacking or circumvention of access controls to do…anything.
  • Espionage.

That’s it. Yep, really. Supporting evidence plays a big role in most (if not all) of these, so even these may not be completely cut and dry. Generally, though, it’s a safe bet to have clear violation rules in place for any of these. What about others, though? What about all those myriad policies that we have painstakingly written that everyone in the organization hates? Some make sense, sure, but there’s probably some that should be visited on a per-case basis. Many people in many organizations hate security people. Some of you will say “so what?”. I say – you’re losing the game. People WILL get around you one way or another, and if they hate you they will try 10 times as hard. I’m not advocating being wishy-washy, and there are plenty of reasons (governance, compliance, industry standards, etc) why certain policies should have less “wiggle room” than others. But if we always approach policy with a “my way or the highway” attitude, we are going to isolate ourselves even more in infosec, and that’s a tragedy. Just something to think about. </rant>

Categories: Information Security, Rants Tags:
  1. iamnowonmai
    October 15th, 2009 at 05:20 | #1

    Well, I am assuming that “Leave a comment” means it is ok to chime in. 😉

    You are talking about two separate concepts at the same time. In the first case the offender is being punished for something they *have* in this case a spork, or data above your security clearance, or whatnot. In the second case, you are talking about something an offender *does* such as espionage or theft. It is difficult to try to apply the concept of security policy to a case of possession-type crimes, since they almost always involve an action. A policy is put in place to reduce risk, and an employee chooses to act in violation of the policy.

    I understand the concept of zero-tolerance in $GENERIC_POLICY that you are making, so I’m not (intentionally) being dense here. But let the policy be black-and-white. Let the HR people worry about the degree of enforcement. I think a problem can arise when security staff internalize the policy (that they probably wrote,) and take it personally when people violate it. But I don’t think it helps the adversarial situation between staff and infosec. Infosec needs to unplug from it. If there is a “my way or the highway attitude” then infosec is personalizing it too much.

  2. admin
    October 15th, 2009 at 05:32 | #2

    I think you have a good point, actually. I did muddy the waters a bit here in terms of policy types and approaches, agreed. But there are so many types of policy now that don’t fall into the “black and white” mentality anymore (in my opinion), that we should be careful about how we construct and enforce them. Much of this may ultimately fall to HR, particularly policies directly related to employee behavior, but I think “blind policy obedience” is dangerous. Given that we have so much influence in policy definition and violation alerting, we should also be using a more reasoned approach when possible.

    You also make a sound point about security folks internalizing policy, and that’s a tough one to get around. Human nature creeps in here, we all tend to internalize a bit for things we built or have a stake in.

    Good discussion points, in any case. This isn’t a clear-cut topic with one right or wrong answer, obviously – thus the “Random Thought” label. 🙂

Comments are closed.