The following example of a recent story is the perfect analogy for dynamic policy creation. The Swiss MediaMarket (Electronics Chain) reacted amicably when we were presented with a heat wave. All over the news people where warned about the topic of leaving your children or your pets in the car. Unfortunately there where fatalities due to the practice of leaving small children in the car. There was a lot of talk but MediaMarkt spun into action. This story has all the ingredients for future security (advanced persistent threats) APT's and how you will have to deal with them. The same process' will have to be applied to your policy framework.

1. Security agility - dynamic policy creation and
rollout
Have you ever thought of dynamic policy creation?
Not in a technical sense rather from an organisational
point of view.
The following example of a recent story is the perfect analogy for dynamic policy
creation. The Swiss MediaMarket (Electronics Chain) reacted amicably when we were
presented with a heat wave. All over the news people where warned about the topic of
leaving your children or your pets in the car. Unfortunately there where fatalities due to
the practice of leaving small children in the car. There was a lot of talk but MediaMarkt
spun into action. This story has all the ingredients for future security (advanced
persistent threats) APT's and how you will have to deal with them. The same process'
will have to be applied to your policy framework.
Here the story and the ingredients that made it so worthy of mentioning.
The A frame with the new store policy.

2. The signs says: Dogs Welcome! Dear customers Dogs are welcome because of the
current temperatures which could be unbearable or even deadly for your animal even
if you have opened the windows of your car. Therefore Dogs are allowed due to this
temperatures.
The following table highlights the temperature development in a car by any give outside
temperature in dependence of time. This is not a scientific study and the values might
differ in your specific context or country. It is an illustration.
Outside
temperature
ºC and ºF
5 minutes 10 minutes 30 minutes 60 minutes
20ºC (68ºF) 24 ºC (75.2ºF) 27 ºC (80.6ºF) 36 ºC (96.8ºF) 46 ºC (114.8ºF)
22 ºC (71.6ºF) 26 ºC (78.8ºF) 29 ºC (84.2ºF) 38 ºC (100.4ºF) 48 ºC (118.4ºF)
24 ºC (75.2ºF) 28 ºC (82.4ºF) 31 ºC (87.8ºF) 40 ºC (104ºF) 50 ºC (122ºF)
26 ºC (78.8ºF) 30 ºC (86ºF) 33 ºC (91.4ºF) 42 ºC (107.6ºF) 52 ºC (125.6ºF)
28 ºC (82.4ºF) 32 ºC (89.4ºF) 35 ºC (95ºF) 44 ºC (111.2ºF) 54 ºC (129.6ºF)
30 ºC (86ºF) 34 ºC (93.2ºF) 37 ºC (98.6ºF) 46 ºC (114.8ºF) 56 ºC (132.2ºF)
32 ºC (89.6ºF) 36 ºC (96.8ºF) 39 ºC (102.2ºF) 48 ºC (118.4ºF) 58 ºC (136.4ºF)
34 ºC (93.2ºF) 38 ºC (100.4ºF) 41 ºC (105.8ºF) 50 ºC (122ºF) 60 ºC (140ºF)
36 ºC (96.8ºF) 40 ºC (104ºF) 43 ºC (109.4ºF) 52 ºC (125.6ºF) 62 ºC (143.6ºF)
38 ºC (100.4ºF) 42 ºC (107.6ºF) 45 ºC (113ºF) 54 ºC (129.2ºF) 64 ºC (147.2ºF)
40 ºC (104ºF) 44 ºC (111.2ºF) 47 ºC (116.6ºF) 56 ºC (132.2ºF) 68 ºC (154.4ºF)
Conversion ºF to ºC.
ºC * 1.8000 +32
This is the story!
So what? Nice story but what is the point aside from animal loving or caring for smallest
and most vulnerable in our community.

3. The exact same thought process applies to information security management. You are
maybe used to policy development based on an ISMS. There we say the public
information security policy should have an expected life span of 2-3 years. The more
detailed the policies go --> Server and Computer polices the more frequent they have
to chance and adapt to new technology for instance.
Now with the landscape of today's with APT's and risks emerging within hours or even
minutes all this has to happen much faster (like the dog policy). This is why I use the
dog policy analogy. Phishing for instance requires reaction times within minutes. A
phishing attack within an organisation requires you to act very swiftly. Experience
shows after the phishing email has entered your organisation some dude somewhere
will fall for it and either clicks on the payload (attached file) or the link in the email within
roughly 16 minutes. Yea right, and don't' forget this 24x7.
The Ingredients you need for dynamic policy creation (if a Dog store policy or a
phishing/ social engineering policy):
- Leadership (seeing the greater context of your environment and conclude what is in
the best interest for you as a company, for the ones around you (your customers) and
the ones your customers care about (their dogs or kids) for instance!
- Competence (acting within your competence or level of influence)
- Resources (what is at your hand)
- Flexible management (ability to convince others that you are on the right track, trust
in your skills and judgement)
- Drive to excel and deliver the best customer experience you can
What you do with these ingredients:
- Assess the situation (detect the problem)
- Understand the problem in a wider perspective (you clients problems)
- look for probable solutions (select the most promising one)

4. - Plan the necessary changes (Printing the posters for the A frames for
instance, distribute the posters to the locations, release a memo to the store
locations)
- Rollout/ implement the changes
- Monitor development (does the situation change, is there adjustment necessary)
- Correct if necessary
- Revert to normal operation
Your use case is of course not the dog of your client it’s his data. What have you done
today to make the data of your client more secure? Have you talked about APT's like
social engineering, phishing or any other security breaches? This is your dog.
Cheers Dom