Written directives for cybersecurity are getting more challenges to formulate into policies due to dynamic business nature. If too rigid, compliance will be an issue. If too loose, then forget it because the policies won’t stipulate specific protection.
Eventually, policy statement will be conditional. Instead of laying down business logic, precise specific protection is stated for generic situation.
An example is information protection regarding credit card transaction. If transaction value exceeds defined threshold, further check is needed for authorization. This will be implemented in the system and the defined threshold will be per cardholder’s spending profile, usual spending location, repayment history etc.
The zero-trust access model is taking similar approach to grant access in further strengthening critical information asset assess. Last but not the least, technical enforcement can always be defeated or circumvented by human factor and usage behavior. That’s why raising situation awareness and workforce competency development are important to invest rather than solely narrow focused on technical controls.