Stay informed about cyber awareness training topics and mitigate risk in your organisation.

5 Common Mistakes Companies Make with Security Policy Management


about the author

Risk management has always been an important process for businesses. In the digital age, this ongoing effort assumes even more significance. Organizations today can’t effectively manage risk without periodically evaluating their IT security policies and their corresponding enforcement programs. Those that aren’t willing or able to examine how they manage their security policies can’t identify when something’s working. Worse, they can’t recognize when their program is stuck in a rut or when it’s ignoring opportunities that reduce risk.

Here are five common mistakes organizations make when it comes to their security policy management program.

  1. Thinking about the Network and Not Business Applications

Organizations sometimes don’t see the forest through the trees. They’ll create a policy that justifies their network configuration, like what ports or VPN tunnels to use. But they won’t think about why network access is needed in the first place and what business application the rule or policy is supporting. It’s the same thing the other way around, too. Companies commonly don’t remove network access from a decommissioned application and revise one of their policies because they fear it might adversely affect an asset’s functionality. Realistically, they should be more concerned about how an attacker could exploit open access to attack their systems.

  1. Lack of Effective Communication between Different Teams

It takes a lot of teamwork for an organization to manage its security policies. There are those who create and enforce the policies, those who make sure those policies ensure optimal system functionality, and those who tie policies to business applications. These groups of individuals don’t always interact with one another. But their jobs are fundamentally collaborative and interdependent. Without an understanding of what business applications need support, personnel can’t create effective security policies. Teams must also be familiar with those policies to understand how they might or might not affect the organization’s network.

  1. Allow Undocumented Changes on the Fly

An essential part of security policy management is documenting every policy. If organizations don’t encourage documentation, they run the risk of personnel creating policies for which there is no explanation when an auditor comes to call. There’s also the chance that employees could create multiple policies that cover the same security risk, leading to unnecessary clutter. Documentation is important in that it records a policy and standardizes its application across all teammates. Consequently, organizations should not encourage documentation but also pair it with a formal process for creating new policies. Doing so will prevent employees from impulsively creating security policies that might merit deliberation and review.

  1. Don’t Account for Human Error

We’re all human. That means we sometimes make mistakes. Nimrod Reichenberg, head of global strategy for AlgoSec, explains in an article published on Dark Reading one such scenario he encountered on the job:

“An administrator in one company that we worked with accidently typed port 433 instead of port 443 when making a firewall rule change. Let’s just say it was not a good day for him.”

Input blunders do more than just waste time. They create confusion that could potentially weaken a business’s security. Organizations therefore need to account for human error in their security policy management program. One of the ways they can do this is by using an add-on tool or script that’s capable of catching typos and other mistakes.

  1. Fail to Consider Built-In Risk

Poorly designed security policies don’t work in a company’s best interest. Sometimes they add risk, violate compliance requirements, or conflict with other parts of an organization’s IT strategy. Given the potential risks created by security policies, businesses should give more thought to how they design their security policy management programs. Specifically, they should figure out what risks might occur if they create a new security policy.

To further mitigate built-in risk, organizations should consider automation. IT Business Edge is a firm advocate of this decision:

“Automation will streamline your processes, enable you to quickly change designs, identify rules that can be reused, seamlessly push out policies, conduct risk analysis and auditing quickly, instantly create documentation and validate and reconcile, all in real time. There will always be some tasks that require human intervention, but you will have a more secure system if you keep the people on your team focused on the jobs that need analysis and investigation, rather than mundane tasks that can be automated.”


Security policy management is an important facet of risk management. But it doesn’t come naturally to all companies. This’s why Metacompliance has come up with a line of policy management products that help companies design security policies and ensure staff awareness.

To learn more about how Metacompliance’s solutions can help your company, click here.

you might enjoy reading these