The bigger security pictureTechnology and tools are certainly akey element in any approach to securi-ty, but organizations that rely on themto the exclusion of all else are stillexposing themselves to risk. Instead, allsecurity measures must be consideredas holistic solutions that are at theirmost effective when accompanied byappropriate policies and procedures,and which take into account the ‘peo-ple’ factor. Even companies that havedeployed the most comprehensive arrayof technological solutions leave them-selves open to attack or securitybreaches if they don’t educate andmonitor their users.

This is a message that applies to allforms of technology. However, when itcomes to security in particular, it seemsthat the potential of IT tools often over-rides common sense. The basic premiseof ‘people, process and technology’ iseither being ignored, or is consideredirrelevant. This is a serious issue: the besttechnology in the world is only as goodas the person using it.

The reality of any security system isthat users are the weakest link. Theyneed access to applications and informa-tion to carry out their jobs, resulting in

thousands of possible areas of vulnerabil-ity every day. Whether accessing data,logging in to applications, sending andreceiving emails, communicating withpartners and customers, or even takingmobile devices out on the road withthem, the day-to-day requirements of asystem’s users create a diverse range ofchallenges and problems for the securitymanager.

How do organizations keep their dataand infrastructure absolutely safe? AsGene Spafford, director of computeroperations, audit, and security technolo-gy at Purdue University put it: “Theonly system which is truly secure is onewhich is switched off and unplugged,locked in a titanium lined safe, buried ina concrete bunker, and is surrounded bynerve gas and very highly paid armedguards. Even then, I wouldn’t stake mylife on it…”

The problem with such a scenario isthat no-one would be able to use iteither. In the real world users need tohave constant access to business infor-mation and also need to be able tosend emails and share data with trustedthird parties. It’s what enables them dowhat they are paid for and keep thecompany running. There needs to be aworkable solution that enables employ-ees to function without being restricted

by draconian security measures, whilesimultaneously ensuring that the com-pany’s network and data are secure.

So how can such a solution bereached?

Writing a policyThe first step is to draw up a securitypolicy, and get buy-in from the board tolead the security drive from the topdown. Employees need to understandwhat they can and cannot do when itcomes to using corporate systems anddata. They also need to know what theyshould and should not be doing, as indi-viduals, in order to maintain the appro-priate levels of security.

A comprehensive security policy,which is subject to regular review, pro-vides the answers to these key ques-tions. Beyond this basic requirement,the policy should mandate how infor-mation is to be protected across thebusiness and when it is exchanged withother parties. The policy documentsneed to be as ‘user friendly’ as possible,explaining not only what employeesneed to do, but also why they shoulddo it as well as the penalties for non-compliance.

Policy authors need to take the timeto understand fully the procedures thatall users go through in order to func-tion properly. This will make sure thatthe security processes put in place don’tactually stop employees achieving whatthey are paid to do. There have beennumerous occasions when users havefound a way to by-pass completelysecurity measures that they saw as toorestrictive.

Regardless of how much the policy isoriented towards the daily user experi-ence, it will not succeed if it is drawnup in isolation from the wider securitygoals. As an essential element in theoverall security programme, it needs tobe aligned with the company’s IT secu-rity aims. It is more than a series of‘nice to have’ generic ideas. Instead, it is a document that is deeply rootedin the day-to-day reality of the organi-zation’s operations. This means thatthe policy should be informed by the

May 2006 Computer Fraud & Security17

SECURITY POLICY

Winning securitypolicy acceptanceMark Hughes / Ray StantonBT business continuity, security and governancepractice

There are very few organizations today that haven’t adopted at least some formof information security measures. The majority have firewalls andanti-virus protection and most will conduct regular backups ofdata, run anti-spam software and have policies for acceptable useof emails and the Internet. VPNs, secure mobile working, intrusionprotection and detection and business continuity plans have allseen growing levels of deployment, indicating that security isbeing taken seriously at board level at companies of all sizes. As aresult, many of these companies feel confident in their ability toprotect themselves. But that confidence is often misplaced.

Ray Stanton

Computer Fraud & Security May 200618

organization’s plans to manage itsoperational risk and comply with legal,statutory, regulatory or contractualrequirements, and support all efforts toachieve these goals. It needs to makesure that security remains a businessenabler by guaranteeing the confiden-tiality, integrity and availability of cor-porate data.

Enlisting the boardSince the policy is integral to a compa-ny’s wider goals, it is vital that seniormanagement is committed to it and itsimplementation throughout the organi-zation. Board-level engagement isessential to success: those running thebusiness need to support securityactively within the organizationthrough clear direction and demonstra-ble actions - including allocation ofresource and release of budget. Theyneed to assign and acknowledge explic-it information security responsibilities.Although day-to-day issues remain withan appropriately trained and experi-enced IT security manager, senior exec-utives need to be the ultimate ownersof the IT security policy.

Drawing up the security policy mayfall to the IT department, but othersare involved in monitoring and polic-ing it. To ensure that policies areaccepted and adhered to the boardneeds to engage the HR and legaldepartments and establish a culture ofuser consultation. Security is a multi-departmental discipline and it requiresthe senior, centralising force of theboard to make certain that every partof the organization is involved.

Perhaps fortunately for the IT man-ager who is attempting to make all thisa reality, the last few years have seensecurity climb higher and higher up theboardroom agenda. Drivers such asnew corporate governance legislation aswell as the need for effective risk man-agement have helped make security asenior-level issue. Security managerscan use this as an opportunity to makesure board members are aware that it isthey who are ultimately accountable,

and potentially liable, for breaches ofsecurity. This is not about scaremon-gering, which is more likely to lead toshort-term panic and will rarely achievelong-term commitment. Instead, it’sabout making the case for security asan enabler and driver for change.

If security is seen as just another insur-ance policy, it is unlikely to enthuse eventhe most forward-thinking senior execu-tive. But if it is regarded, rightly, as thetool that makes mobile working and col-laborative projects truly effective and as amethod of enhancing rather than dimin-ishing shareholder value then it ceases tobe just another necessary evil.Consequently board members are morelikely to support it.

Managing the usersIt is important to remember that an ITsecurity policy is a living documentthat needs to be kept up-to-date: itshouldn’t be written and forgotten, orleft on a shelf to do nothing but gatherdust. Many organizations already havea policy, but because they do notensure that it remains pertinent to theirchanging circumstances, they are doinglittle more than paying lip-service to itscontents.

Circumstances will inevitably change,be they organizational, technical, physi-cal or even political, and so will the con-sequent risks to the business and theirattendant security requirements.Reviewing the policy is therefore of criti-cal importance to ensure its ongoing rel-evance, as is communicating any changesto all affected employees. In fact, com-munication is a key success factor in anypolicy.

Users need to be aware of the require-ments it contains, and companies needto plan their communications so thataccess to an up-to-date copy is a pain-free process. Employees also need tohave the time to read it if they are tostick to the guidelines. It is all too easyto assume that just because a policyexists everyone is aware of its contents.Instead of relying on employees to ‘pull’the rules and guidelines from the chosen

channel, companies should make it asdifficult as possible to avoid the policy,by using some form of ‘push’ method ofcommunicating it.

Furthermore, companies need to winthe hearts and minds of their employ-ees if the policy is to be adopted uni-versally. This means more than simplylecturing people. Users should com-pletely understand the importance ofwhat is being put in place as well as thereasoning behind it. The ease withwhich this can be achieved is largelydependent on the size of the company.In a small firm it is often still practicalto talk to users individually and makesure they realise what they need to do.However it is a different matter inorganizations with hundreds or thou-sands of people. It is often harder tocommunicate in a bigger company,especially one that employs remote ormobile users or contractors. In addi-tion, large organizations are more likelyto have public shareholders and a high-er profile and are consequently morevulnerable to deliberate attack.

There are a number of methods thatcan generate awareness of the securitypolicy, and its impact on employees. Agood place to start is by embeddingsecurity into job descriptions andemployment contracts and making itpart of performance reviews andappraisals. This ‘pushes’ informationout to workers, letting them knowfrom the start what is expected ofthem, and making it clear from theoutset that they will be monitored. Allemployees should also go through spe-cific security training that is appropri-ate to their role, covering areas such asgeneral security, data protection andcompliance. This is where the board’sengagement with HR is essential: train-ing may need to be renewed as a per-son changes role or is promotedthrough the organization. For example,if managers are to take on a degree ofresponsibility for the security of theirdepartment, they must have appropri-ate training and resources.

Employee education can be face-to-face or a Web-based e-learning course,depending on the organization’s specific

SECURITY POLICY

May 2006 Computer Fraud & Security19

requirements. Users should be trainedwhen they first join the company, andthat training should be repeated regular-ly to make sure it is kept up to date,particularly when significant securitypolicy or technology changes have takenplace.

In larger organizations, tools such as awell-publicised online security reportingfacility and a 24/7 security helplinemake it easier for users to report anysuspected or actual security problems,ensuring they can be effectively dealtwith in a timely manner.

Again, there is a fine line betweengiving people insufficient training andconcentrating on security to the extentthat people don’t have time to do theirjob. It all comes down to assessing costand productivity against risk. Theorganization and its board must decidewhat level of risk they are prepared tomanage.

Aside from direct education and con-tractual obligations, there are numerousways in which the security policy can beconveyed. In particular, the corporateintranet is a valuable tool that can beused to outline the security standardsthat employees are expected to complywith - as well as providing users withtraining materials and background infor-mation.

Because it is straightforward toupdate, an intranet can be a much moredynamic, engaging and even interactivemethod of communicating. For exam-ple, organizations can adopt a differentsecurity theme each month, run it acrossthe intranet and email users with specificinformation about the threats involved,hints and tips, or even simple glossariesto help users gain greater understandingof what they are dealing with.

Monitoring the policy When rolling out security, companiesshould include the appropriate mecha-nisms to identify where and when policybreaches occur. This includes encourag-ing employees to report security breach-es by promising them anonymity orreward, for example. There is little pointin having security technology in place ifyou don’t know when it is beingbypassed.

Where the security policy is automati-cally enforced – for example, by usingone, two, or three-factor authenticationto log in - then the company can be rea-sonably sure that the policy is beingcomplied with. However, where policiesrely on individual discretion, be it thewearing of an ID pass or storing valu-able information on vulnerable PDAs,there is less assurance that the policy isbeing met. In these instances, effectivemonitoring processes such as spot checksor exercises will be required to confirmthat compliance to policy is actually tak-ing place.

It is also important to ensure thereare appropriate consequences for non-compliance. Positively incentivisingstaff is always preferable, but withsomething as critical as IT security,there also needs to be negative conse-quences for non-compliance. Usersneed to understand what will happen ifthey don’t adhere to policy.Furthermore, those penalties need tobe consistently enforced and, just asimportantly, seen to be enforced toensure that the message gets across:security isn’t an option, it is a necessity.

Measuring successIt isn’t enough just to roll out securitypolicy and training and leave it at that.

Whatever the size of organization, andhowever sophisticated its chosen com-munication methods, the ability toassess the level of compliance andhence the success of those policies isessential. Although it can be difficultto measure the direct impact of securi-ty awareness programmes on the bot-tom line, there are other ways to assessits success. For example, recordingintranet page impressions can revealhow interested people are and howmuch they are reading beyond the firstpage. Statistics gathered by a helplinecan reveal increases in types of report-ed incidents following training or thedistribution of education packages.

The effectiveness of policies andtraining can also be assessed by establishing whether the number and cost of security breaches hasreduced since their implementation.As a baseline, organizations need toestablish what the cost of securitybreaches is, whether it is from loss of data, network downtime or wastedstaff time, as well as the cause in eachcase. They will then be able to identifywhere the weak spots are, whatresources are required and what targetsneed to be met.

Employees are the weakest link in thesecurity chain – but they are also themost important part of the business.Every company likes to boast that peo-ple are its most valuable asset, so securitymeasures need to work with them,rather than against them. To do that, itis critical to take time to write a policythat will support users as they do theirjob, while making sure that they under-stand what they need to do, why theyneed to do it and what the implicationsare if they don’t.

SECURITY POLICY

Subscribe to Computer Fraud & Security at:www.compseconline.com Alternatively, contact us for more details at Elsevier, PO Box 150, Kidlington, OX5 1AS, UK Tel: +44 (0) 1865 843687 | Fax: +44 (0) 1865 843971 | eatsales@elsevier.com