Repeat after me: “This isn’t a legal contract, you don’t have to include boilerplate for CYA purposes.”

Actually, the boilerplate in  security documents does one of the following:

• Is a bunch of lies because it never gets updated
• Refers to common or shared controls which are written down somewhere else and you should be referring to them instead of including them verbatim
• Is a rehash of NIST/BS7799/PCI-DSS documents or standards that we all know anyway
• Is marketing information or “Ra-Ra” cheerleading
• Is an attempt at “malicious compliance“

None of these are what you really want to do.  So think about it next time you create a template for something.

• Observations on SP 800-37R1
• How to Not Let FISMA Become a Paperwork Exercise
• Response to “What is Information Assurance – The Video”
• Some Thoughts on “Malicious Compliance”
• It’s All About Common Controls!