Guerilla CISO Tip–Avoid “Boilerplate”

Posted November 12th, 2007 by

Repeat after me: “This isn’t a legal contract, you don’t have to include boilerplate for CYA purposes.”

Actually, the boilerplate in  security documents does one of the following:

  • Is a bunch of lies because it never gets updated
  • Refers to common or shared controls which are written down somewhere else and you should be referring to them instead of including them verbatim
  • Is a rehash of NIST/BS7799/PCI-DSS documents or standards that we all know anyway
  • Is marketing information or “Ra-Ra” cheerleading
  • Is an attempt at “malicious compliance

None of these are what you really want to do.  So think about it next time you create a template for something.

Similar Posts:

Posted in The Guerilla CISO, What Doesn't Work | No Comments »

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: