When did the SANS Institute write its first in-house security policies? Like many organizations, the Bethesda, Md.-based small business only did it after there was a problem.
A former consultant with the organization used his existing SANS e-mail address to send spam. Technically speaking, the former consultant hadn't done anything wrong, as the SANS Institute, best known for its computer security training and research, didn't have policies for acceptable e-mail use. Nor did it monitor or retain e-mail as a business record.
The first thing the SANS Institute did was write for acceptable use, covering such things as Internet access, e-mail, and passwords, said Stephen Northcutt, the director of training and certification at the SANS Institute. "We went from ad hoc to organized in 24 hours."
Getting burned often drives organizations to action. Yet while the heat of the moment distills thinking, planning ahead never hurts, and company size or expense is no excuse. Small and medium-size businesses (SMBs) can create Internet-security policies on the cheap if necessary. In fact, because SMBs are "more intimate by nature," enforcing acceptable use of Internet resources is "easier and much simpler," said Randall Palm, the chief technical and information security director at the Computing Technology Industry Association (CompTIA) in Oakbrook Terrace, Ill.
Outline privacy and policies
Before writing policies, however, organizations need an employment manual. This outlines an employee's presumption of privacy and what the employer can monitor. With that in mind, then define what constitutes an acceptable use of systems, so employees know what they can or can't do.
Writing such a policy can be as easy as downloading it for free from the SANS Security Policy Project and filling in brackets with your company's name and relevant job titles. The project has about 30 pre-made policies, including the all-important "acceptable use" policy, which likewise details what's unacceptable. "Information Security Policies Made Easy," a not-free book and CD-ROM with 1,360 policies, is another well-regarded source for such policies.
SMBs should also specify, by job title, which sensitive tools people are or aren't allowed to use, said Northcutt. "Why should someone have an Ethernet sniffing tool when they're not an Ethernet administrator?"
In general, however, remember the goal of a security policy: to "empower an employee to do the right thing," possibly by referring to it later to guide their actions, he said. So don't detail every last bell or whistle. "Keep those suckers short and terse," said Northcutt. For example, SANS's acceptable-use policy is only three pages long.
Then ensure employees read the policy. Placing it on the intranet helps.
Of course policies don't magically come true. "It's a lot more of an education model than it is a policy model," said Palm. "Sometimes you're vulnerable just because you use a dial-up account on the road, and you're not behind a firewall."
A company, however, must also make "a reasonable effort to protect its information systems and users from vulnerabilities; you can't put 100 percent of obligation on a user," said Palm. These basic countermeasures, he said, are mandatory: firewalls, antivirus, anti-spam, anti-spyware; and a trained IT staff. With these, "you have a reasonable, defensible position that a company has done its effort to do its part."
Likewise, education is one thing; enforcement it is another. "Cheap gets really interesting when you bring up acceptable use," said Northcutt. "It's just a matter of time until you're going to treat one employee differently than another, and that's lawsuit heaven."
That's why he recommends automated enforcement of allowed Internet access. "Yes it costs you money, but deal with it because you will get the money back in 30 to 90 days just on the bandwidth you save," not to mention reducing corporate liability. "Think about the amount of money you save just by dealing with child pornography."
Technology for filtering Internet access abounds; IDC said the largest providers are Websense, SurfControl and Secure Computing. In general, all such products classify an enormous number of Internet sites, including Internet shopping, stock trading, online games and job-search categories, then allow IT managers to selectively restrict access, even to certain hours.
Review policies periodically
With an acceptable-use policy written and enforcement in place, the final requirement is planning the update. CompTIA, for example, updates its policies annually; a lot can change in that time. When reviewing, Palm recommends asking simple questions, such as, "If someone asks all employees for their password, how many would give it to them?" and "If all employees received an unknown attachment, how many would open it?" Use the answers to focus policy rewrites, plus additional technology and training expenditure.
For SMBs resisting writing security policies, know they may soon be mandatory. Many regulations stipulate that "there needs to be a means to enforce some of these security controls, and in effect your security policy," said Mike Cunning, director of the technology and data management services practice at New York-based PricewaterhouseCoopers.
Regulations increasingly apply also to companies' suppliers, regardless of industry. Today "the standard for behavior is becoming regulated," said Northcutt. "Don't get me wrong, if you're a literal small business, it will be a while before they get to you, but they will eventually."