Policy must be practical and to the point

What is security? It has to be practical. Many organisations have risk management policies which read like War and Peace and one that I came across recently was more than 100 pages long.

I gave it to a student to read and he told me he didn’t know if it was a policy, a standard or a guide, and he didn’t understand anything in the document itself. There was at least a written policy, but it was over-complicated and did not deliver proactive security.

A lot of organisations have standards in place but the question is: Do they follow the standards? And does anybody really care?

A two-page security policy can capture the user requirement. They should not have to understand every detail about the organisation. The security policy should be there to assist the business to deliver its mission ­ it should not be used to hit people over the heads when things go wrong.

Credit report supplier Experian is an example of an organisation that is very aware of its profile in the market, and it went to extra exceptional lengths to deliver security.
One of the challenges Experian had was to seek certification under the ISO 17799 standard, so that the business delivered good, sound, security practice. The certification was put in place and paid dividends.

Many organisations may not consider security enough when building new
systems. When deploying operating systems, applications or any other part of your infrastructure, it is important to consider how security can be best enabled.

An example is free file encryption, which came with Windows 2000 onward. People who have lost laptops often say they couldn’t afford encryption, but, in fact, they usually already own it. Encryption is not infallible, but it does heighten the security barrier.

One of the major concerns that many organisations have today is the amount of devices that users bring to work ­USB devices, iPods and so on.

Each and every connection in the corporate environment poses risk. If blocking technology is deployed to cope with this, the number of devices often shown to be connected to the network is very scary. It shows a lack of controls if full use of adequate technical security to monitor usability is not made.

This is not about a user coming in to attack the system; it is users who do what they can because they can do it.

A security policy is written for 99.9 per cent of users, but the clever user who is really there to attack a system is the one who knows about the policy and has read it thoroughly.

Some users will always abuse their rights, they will pose consistent and constant challenges.

John Walker is chairman of the Information Systems Security Association UK
expert technology panel. This article is taken from a transcript of Walker’s
presentation in a Computing web seminar “Managing risk: The challenges for companies”.

Visit: www.computing.co.uk/webseminars

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!