When is a rule a rule?
Mar 16th, 2010 by Jesper Kråkhede
Security is a very interesting subject. Quite often I get questions regarding the connection of security policies, security mechanisms and technical solutions and when and where to have those. My answer is as always: It depends. That said the real issue to handle is how you would like to handle your rules.
A rule has two properties; how it is monitored and how breaking it is punished. Any rule without any of those will inevitable be disregarded. Take a simple thing as walking towards red light at a crossing. The law in Sweden states that it is not allowed, but there is no punishment if you do. Hence the law is toothless and therefore is broken on a daily basis. Same thing with speeding; most of the time there is no monitoring on your speed making a lot of people driving faster than allowed.
This is true for security as well. Creating a security policy that does not handle monitoring of it and doesn´t have any actions if it is disregarded is not worth the computing power used when writing it.
A rule is only in effect if it is monitored and if there is an enforcement on it.