A good security policy is paramount in protecting your company
assets, but it must cater for everyone from the accountant to the
software engineer and must be kept up-to-date
For most small and medium-sized businesses - and a surprising
number of larger ones - security policies are documents that are
written by the IT department, filed somewhere and forgotten.
Day-to-day information security is handled by technical people who
are left to fly by the seat of their pants, often without the
resources, training or authority to take command of the
situation.
As a result, no one is in control, so when a problem arises it is
dealt with piecemeal on a technical level without reference to the
bigger picture. This is why, in spite of advances in defensive
technologies, attacks are on the increase and the bad guys seem to
be winning.
This situation exists because the majority of corporate information
security policies just don't work. Most policy documents contain a
blanket clause such as "no software shall be installed by any user
without the authorisation of the IT support department". This
sounds very conscientious, but raises a couple of questions.
What is this policy trying to achieve: licensing control;
protection against Trojans; or control of private computing? IT
support would have to take a different course of action in each
case, so without an appropriately defined intent and action plan,
this policy statement is non-functional.
How is this single policy supposed to cater for everyone in the
company, from accounts clerks who don't need to install software to
engineers who do?
If everyone was to follow the policy rigorously, would IT support
have the resources to handle all the requests?
Finally, has anyone trained the end-users so that they realise a
screen saver is software and has anyone noted that some dangerous
Trojans masquerade as screen savers?
What happens as a result of this vagueness is that no-one follows
the security policy as a rule, but it may be wheeled out
occasionally to bludgeon some unfortunate person whose software
installation caused an identified problem.
Good policies should protect against threats, not just specify
punishments to be inflicted after disaster has struck. They are an
expression of rules and restrictions that maximise the security of
corporate information while minimising the impact on the business.
They must be tested and proved to be functional in the business
context.
And, given the rate at which the hazards are evolving, good
policies soon go out-of-date. Obsolete or unworkable policies can
be more dangerous than none at all, as they can engender a false
sense of security and policies that do not mesh with your business
needs can be a constant brake on performance.
To build good policies start by asking what you are trying to
achieve. Identify the problem you need to solve and involve
business decision-makers, IT support staff and even HR, rather than
leaving policy definition to one or other group alone.
Take professional advice where appropriate, but never hand over
your policy definition to outsiders and never use off-the-shelf
policies, however big the cost savings.
It is as well to include a regular formal update mechanism in your
policies and amend them immediately in the light of any incident
and whenever a major new threat is announced. That means you must
investigate all incidents, however trivial, and you must keep
up-to-date with new threats. Both should feature in your policies.
HR and management need to ensure that appropriately qualified staff
are given the time and resources to fulfil them.
Consulting your IT users is important for security - explain what
your policies mean and why you have implemented them. Listen to
their responses and adjust your policies if necessary. Train users
in security basics, so that they understand why restrictions are
necessary. It is important that you allow no exceptions - make a
policy for every explicit case. You should consider simplifying
your policies by eliminating unnecessary hazards.
Imposing minimum privilege can do wonders for security - instead of
giving everyone full Internet access at their desktops, consider
opening a cybercafe in the canteen, isolated from the corporate
network. You might give everyone a private e-mail address as well
as their corporate one, with explicit, monitored, rules on
usage.
Above all, update and test your policies regularly.
Mike Barwise is an independent consultant specialising in
information security management