- Email: [email protected]
Winning security policy acceptance
SECURITY POLICY
Winning security policy acceptance
by draconian security measures, while simultaneously ensuring that the company’s network and data are secure. So how can such a solution be reached?
Mark Hughes / Ray Stanton BT business continuity, security and governance practice
Writing a policy
Ray Stanton
There are very few organizations today that haven’t adopted at least some form of information security measures. The majority have firewalls and anti-virus protection and most will conduct regular backups of data, run anti-spam software and have policies for acceptable use of emails and the Internet. VPNs, secure mobile working, intrusion protection and detection and business continuity plans have all seen growing levels of deployment, indicating that security is being taken seriously at board level at companies of all sizes. As a result, many of these companies feel confident in their ability to protect themselves. But that confidence is often misplaced.
The bigger security picture Technology and tools are certainly a key element in any approach to security, but organizations that rely on them to the exclusion of all else are still exposing themselves to risk. Instead, all security measures must be considered as holistic solutions that are at their most effective when accompanied by appropriate policies and procedures, and which take into account the ‘people’ factor. Even companies that have deployed the most comprehensive array of technological solutions leave themselves open to attack or security breaches if they don’t educate and monitor their users. This is a message that applies to all forms of technology. However, when it comes to security in particular, it seems that the potential of IT tools often overrides common sense. The basic premise of ‘people, process and technology’ is either being ignored, or is considered irrelevant. This is a serious issue: the best technology in the world is only as good as the person using it. The reality of any security system is that users are the weakest link. They need access to applications and information to carry out their jobs, resulting in
May 2006
thousands of possible areas of vulnerability every day. Whether accessing data, logging in to applications, sending and receiving emails, communicating with partners and customers, or even taking mobile devices out on the road with them, the day-to-day requirements of a system’s users create a diverse range of challenges and problems for the security manager. How do organizations keep their data and infrastructure absolutely safe? As Gene Spafford, director of computer operations, audit, and security technology at Purdue University put it: “The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it…” The problem with such a scenario is that no-one would be able to use it either. In the real world users need to have constant access to business information and also need to be able to send emails and share data with trusted third parties. It’s what enables them do what they are paid for and keep the company running. There needs to be a workable solution that enables employees to function without being restricted
The first step is to draw up a security policy, and get buy-in from the board to lead the security drive from the top down. Employees need to understand what they can and cannot do when it comes to using corporate systems and data. They also need to know what they should and should not be doing, as individuals, in order to maintain the appropriate levels of security. A comprehensive security policy, which is subject to regular review, provides the answers to these key questions. Beyond this basic requirement, the policy should mandate how information is to be protected across the business and when it is exchanged with other parties. The policy documents need to be as ‘user friendly’ as possible, explaining not only what employees need to do, but also why they should do it as well as the penalties for noncompliance. Policy authors need to take the time to understand fully the procedures that all users go through in order to function properly. This will make sure that the security processes put in place don’t actually stop employees achieving what they are paid to do. There have been numerous occasions when users have found a way to by-pass completely security measures that they saw as too restrictive. Regardless of how much the policy is oriented towards the daily user experience, it will not succeed if it is drawn up in isolation from the wider security goals. As an essential element in the overall security programme, it needs to be aligned with the company’s IT security aims. It is more than a series of ‘nice to have’ generic ideas. Instead, it is a document that is deeply rooted in the day-to-day reality of the organization’s operations. This means that the policy should be informed by the
Computer Fraud & Security
17
SECURITY POLICY organization’s plans to manage its operational risk and comply with legal, statutory, regulatory or contractual requirements, and support all efforts to achieve these goals. It needs to make sure that security remains a business enabler by guaranteeing the confidentiality, integrity and availability of corporate data.
Enlisting the board Since the policy is integral to a company’s wider goals, it is vital that senior management is committed to it and its implementation throughout the organization. Board-level engagement is essential to success: those running the business need to support security actively within the organization through clear direction and demonstrable actions - including allocation of resource and release of budget. They need to assign and acknowledge explicit information security responsibilities. Although day-to-day issues remain with an appropriately trained and experienced IT security manager, senior executives need to be the ultimate owners of the IT security policy. Drawing up the security policy may fall to the IT department, but others are involved in monitoring and policing it. To ensure that policies are accepted and adhered to the board needs to engage the HR and legal departments and establish a culture of user consultation. Security is a multidepartmental discipline and it requires the senior, centralising force of the board to make certain that every part of the organization is involved. Perhaps fortunately for the IT manager who is attempting to make all this a reality, the last few years have seen security climb higher and higher up the boardroom agenda. Drivers such as new corporate governance legislation as well as the need for effective risk management have helped make security a senior-level issue. Security managers can use this as an opportunity to make sure board members are aware that it is they who are ultimately accountable, 18
Computer Fraud & Security
and potentially liable, for breaches of security. This is not about scaremongering, which is more likely to lead to short-term panic and will rarely achieve long-term commitment. Instead, it’s about making the case for security as an enabler and driver for change. If security is seen as just another insurance policy, it is unlikely to enthuse even the most forward-thinking senior executive. But if it is regarded, rightly, as the tool that makes mobile working and collaborative projects truly effective and as a method of enhancing rather than diminishing shareholder value then it ceases to be just another necessary evil. Consequently board members are more likely to support it.
Managing the users It is important to remember that an IT security policy is a living document that needs to be kept up-to-date: it shouldn’t be written and forgotten, or left on a shelf to do nothing but gather dust. Many organizations already have a policy, but because they do not ensure that it remains pertinent to their changing circumstances, they are doing little more than paying lip-service to its contents. Circumstances will inevitably change, be they organizational, technical, physical or even political, and so will the consequent risks to the business and their attendant security requirements. Reviewing the policy is therefore of critical importance to ensure its ongoing relevance, as is communicating any changes to all affected employees. In fact, communication is a key success factor in any policy. Users need to be aware of the requirements it contains, and companies need to plan their communications so that access to an up-to-date copy is a painfree process. Employees also need to have the time to read it if they are to stick to the guidelines. It is all too easy to assume that just because a policy exists everyone is aware of its contents. Instead of relying on employees to ‘pull’ the rules and guidelines from the chosen
channel, companies should make it as difficult as possible to avoid the policy, by using some form of ‘push’ method of communicating it. Furthermore, companies need to win the hearts and minds of their employees if the policy is to be adopted universally. This means more than simply lecturing people. Users should completely understand the importance of what is being put in place as well as the reasoning behind it. The ease with which this can be achieved is largely dependent on the size of the company. In a small firm it is often still practical to talk to users individually and make sure they realise what they need to do. However it is a different matter in organizations with hundreds or thousands of people. It is often harder to communicate in a bigger company, especially one that employs remote or mobile users or contractors. In addition, large organizations are more likely to have public shareholders and a higher profile and are consequently more vulnerable to deliberate attack. There are a number of methods that can generate awareness of the security policy, and its impact on employees. A good place to start is by embedding security into job descriptions and employment contracts and making it part of performance reviews and appraisals. This ‘pushes’ information out to workers, letting them know from the start what is expected of them, and making it clear from the outset that they will be monitored. All employees should also go through specific security training that is appropriate to their role, covering areas such as general security, data protection and compliance. This is where the board’s engagement with HR is essential: training may need to be renewed as a person changes role or is promoted through the organization. For example, if managers are to take on a degree of responsibility for the security of their department, they must have appropriate training and resources. Employee education can be face-toface or a Web-based e-learning course, depending on the organization’s specific
May 2006
SECURITY POLICY requirements. Users should be trained when they first join the company, and that training should be repeated regularly to make sure it is kept up to date, particularly when significant security policy or technology changes have taken place. In larger organizations, tools such as a well-publicised online security reporting facility and a 24/7 security helpline make it easier for users to report any suspected or actual security problems, ensuring they can be effectively dealt with in a timely manner. Again, there is a fine line between giving people insufficient training and concentrating on security to the extent that people don’t have time to do their job. It all comes down to assessing cost and productivity against risk. The organization and its board must decide what level of risk they are prepared to manage. Aside from direct education and contractual obligations, there are numerous ways in which the security policy can be conveyed. In particular, the corporate intranet is a valuable tool that can be used to outline the security standards that employees are expected to comply with - as well as providing users with training materials and background information. Because it is straightforward to update, an intranet can be a much more dynamic, engaging and even interactive method of communicating. For example, organizations can adopt a different security theme each month, run it across the intranet and email users with specific information about the threats involved, hints and tips, or even simple glossaries to help users gain greater understanding of what they are dealing with.
Monitoring the policy When rolling out security, companies should include the appropriate mechanisms to identify where and when policy breaches occur. This includes encouraging employees to report security breaches by promising them anonymity or reward, for example. There is little point in having security technology in place if you don’t know when it is being bypassed. Where the security policy is automatically enforced – for example, by using one, two, or three-factor authentication to log in - then the company can be reasonably sure that the policy is being complied with. However, where policies rely on individual discretion, be it the wearing of an ID pass or storing valuable information on vulnerable PDAs, there is less assurance that the policy is being met. In these instances, effective monitoring processes such as spot checks or exercises will be required to confirm that compliance to policy is actually taking place. It is also important to ensure there are appropriate consequences for noncompliance. Positively incentivising staff is always preferable, but with something as critical as IT security, there also needs to be negative consequences for non-compliance. Users need to understand what will happen if they don’t adhere to policy. Furthermore, those penalties need to be consistently enforced and, just as importantly, seen to be enforced to ensure that the message gets across: security isn’t an option, it is a necessity.
Measuring success It isn’t enough just to roll out security policy and training and leave it at that.
Whatever the size of organization, and however sophisticated its chosen communication methods, the ability to assess the level of compliance and hence the success of those policies is essential. Although it can be difficult to measure the direct impact of security awareness programmes on the bottom line, there are other ways to assess its success. For example, recording intranet page impressions can reveal how interested people are and how much they are reading beyond the first page. Statistics gathered by a helpline can reveal increases in types of reported incidents following training or the distribution of education packages. The effectiveness of policies and training can also be assessed by establishing whether the number and cost of security breaches has reduced since their implementation. As a baseline, organizations need to establish what the cost of security breaches is, whether it is from loss of data, network downtime or wasted staff time, as well as the cause in each case. They will then be able to identify where the weak spots are, what resources are required and what targets need to be met. Employees are the weakest link in the security chain – but they are also the most important part of the business. Every company likes to boast that people are its most valuable asset, so security measures need to work with them, rather than against them. To do that, it is critical to take time to write a policy that will support users as they do their job, while making sure that they understand what they need to do, why they need to do it and what the implications are if they don’t.
Subscribe to Computer Fraud & Security at:
www.compseconline.com Alternatively, contact us for more details at Elsevier, PO Box 150, Kidlington, OX5 1AS, UK Tel: +44 (0) 1865 843687 | Fax: +44 (0) 1865 843971 | [email protected]
May 2006
Computer Fraud & Security
19
Winning security policy acceptance
by draconian security measures, while simultaneously ensuring that the company’s network and data are secure. So how can such a solution be reached?
Mark Hughes / Ray Stanton BT business continuity, security and governance practice
Writing a policy
Ray Stanton
There are very few organizations today that haven’t adopted at least some form of information security measures. The majority have firewalls and anti-virus protection and most will conduct regular backups of data, run anti-spam software and have policies for acceptable use of emails and the Internet. VPNs, secure mobile working, intrusion protection and detection and business continuity plans have all seen growing levels of deployment, indicating that security is being taken seriously at board level at companies of all sizes. As a result, many of these companies feel confident in their ability to protect themselves. But that confidence is often misplaced.
The bigger security picture Technology and tools are certainly a key element in any approach to security, but organizations that rely on them to the exclusion of all else are still exposing themselves to risk. Instead, all security measures must be considered as holistic solutions that are at their most effective when accompanied by appropriate policies and procedures, and which take into account the ‘people’ factor. Even companies that have deployed the most comprehensive array of technological solutions leave themselves open to attack or security breaches if they don’t educate and monitor their users. This is a message that applies to all forms of technology. However, when it comes to security in particular, it seems that the potential of IT tools often overrides common sense. The basic premise of ‘people, process and technology’ is either being ignored, or is considered irrelevant. This is a serious issue: the best technology in the world is only as good as the person using it. The reality of any security system is that users are the weakest link. They need access to applications and information to carry out their jobs, resulting in
May 2006
thousands of possible areas of vulnerability every day. Whether accessing data, logging in to applications, sending and receiving emails, communicating with partners and customers, or even taking mobile devices out on the road with them, the day-to-day requirements of a system’s users create a diverse range of challenges and problems for the security manager. How do organizations keep their data and infrastructure absolutely safe? As Gene Spafford, director of computer operations, audit, and security technology at Purdue University put it: “The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it…” The problem with such a scenario is that no-one would be able to use it either. In the real world users need to have constant access to business information and also need to be able to send emails and share data with trusted third parties. It’s what enables them do what they are paid for and keep the company running. There needs to be a workable solution that enables employees to function without being restricted
The first step is to draw up a security policy, and get buy-in from the board to lead the security drive from the top down. Employees need to understand what they can and cannot do when it comes to using corporate systems and data. They also need to know what they should and should not be doing, as individuals, in order to maintain the appropriate levels of security. A comprehensive security policy, which is subject to regular review, provides the answers to these key questions. Beyond this basic requirement, the policy should mandate how information is to be protected across the business and when it is exchanged with other parties. The policy documents need to be as ‘user friendly’ as possible, explaining not only what employees need to do, but also why they should do it as well as the penalties for noncompliance. Policy authors need to take the time to understand fully the procedures that all users go through in order to function properly. This will make sure that the security processes put in place don’t actually stop employees achieving what they are paid to do. There have been numerous occasions when users have found a way to by-pass completely security measures that they saw as too restrictive. Regardless of how much the policy is oriented towards the daily user experience, it will not succeed if it is drawn up in isolation from the wider security goals. As an essential element in the overall security programme, it needs to be aligned with the company’s IT security aims. It is more than a series of ‘nice to have’ generic ideas. Instead, it is a document that is deeply rooted in the day-to-day reality of the organization’s operations. This means that the policy should be informed by the
Computer Fraud & Security
17
SECURITY POLICY organization’s plans to manage its operational risk and comply with legal, statutory, regulatory or contractual requirements, and support all efforts to achieve these goals. It needs to make sure that security remains a business enabler by guaranteeing the confidentiality, integrity and availability of corporate data.
Enlisting the board Since the policy is integral to a company’s wider goals, it is vital that senior management is committed to it and its implementation throughout the organization. Board-level engagement is essential to success: those running the business need to support security actively within the organization through clear direction and demonstrable actions - including allocation of resource and release of budget. They need to assign and acknowledge explicit information security responsibilities. Although day-to-day issues remain with an appropriately trained and experienced IT security manager, senior executives need to be the ultimate owners of the IT security policy. Drawing up the security policy may fall to the IT department, but others are involved in monitoring and policing it. To ensure that policies are accepted and adhered to the board needs to engage the HR and legal departments and establish a culture of user consultation. Security is a multidepartmental discipline and it requires the senior, centralising force of the board to make certain that every part of the organization is involved. Perhaps fortunately for the IT manager who is attempting to make all this a reality, the last few years have seen security climb higher and higher up the boardroom agenda. Drivers such as new corporate governance legislation as well as the need for effective risk management have helped make security a senior-level issue. Security managers can use this as an opportunity to make sure board members are aware that it is they who are ultimately accountable, 18
Computer Fraud & Security
and potentially liable, for breaches of security. This is not about scaremongering, which is more likely to lead to short-term panic and will rarely achieve long-term commitment. Instead, it’s about making the case for security as an enabler and driver for change. If security is seen as just another insurance policy, it is unlikely to enthuse even the most forward-thinking senior executive. But if it is regarded, rightly, as the tool that makes mobile working and collaborative projects truly effective and as a method of enhancing rather than diminishing shareholder value then it ceases to be just another necessary evil. Consequently board members are more likely to support it.
Managing the users It is important to remember that an IT security policy is a living document that needs to be kept up-to-date: it shouldn’t be written and forgotten, or left on a shelf to do nothing but gather dust. Many organizations already have a policy, but because they do not ensure that it remains pertinent to their changing circumstances, they are doing little more than paying lip-service to its contents. Circumstances will inevitably change, be they organizational, technical, physical or even political, and so will the consequent risks to the business and their attendant security requirements. Reviewing the policy is therefore of critical importance to ensure its ongoing relevance, as is communicating any changes to all affected employees. In fact, communication is a key success factor in any policy. Users need to be aware of the requirements it contains, and companies need to plan their communications so that access to an up-to-date copy is a painfree process. Employees also need to have the time to read it if they are to stick to the guidelines. It is all too easy to assume that just because a policy exists everyone is aware of its contents. Instead of relying on employees to ‘pull’ the rules and guidelines from the chosen
channel, companies should make it as difficult as possible to avoid the policy, by using some form of ‘push’ method of communicating it. Furthermore, companies need to win the hearts and minds of their employees if the policy is to be adopted universally. This means more than simply lecturing people. Users should completely understand the importance of what is being put in place as well as the reasoning behind it. The ease with which this can be achieved is largely dependent on the size of the company. In a small firm it is often still practical to talk to users individually and make sure they realise what they need to do. However it is a different matter in organizations with hundreds or thousands of people. It is often harder to communicate in a bigger company, especially one that employs remote or mobile users or contractors. In addition, large organizations are more likely to have public shareholders and a higher profile and are consequently more vulnerable to deliberate attack. There are a number of methods that can generate awareness of the security policy, and its impact on employees. A good place to start is by embedding security into job descriptions and employment contracts and making it part of performance reviews and appraisals. This ‘pushes’ information out to workers, letting them know from the start what is expected of them, and making it clear from the outset that they will be monitored. All employees should also go through specific security training that is appropriate to their role, covering areas such as general security, data protection and compliance. This is where the board’s engagement with HR is essential: training may need to be renewed as a person changes role or is promoted through the organization. For example, if managers are to take on a degree of responsibility for the security of their department, they must have appropriate training and resources. Employee education can be face-toface or a Web-based e-learning course, depending on the organization’s specific
May 2006
SECURITY POLICY requirements. Users should be trained when they first join the company, and that training should be repeated regularly to make sure it is kept up to date, particularly when significant security policy or technology changes have taken place. In larger organizations, tools such as a well-publicised online security reporting facility and a 24/7 security helpline make it easier for users to report any suspected or actual security problems, ensuring they can be effectively dealt with in a timely manner. Again, there is a fine line between giving people insufficient training and concentrating on security to the extent that people don’t have time to do their job. It all comes down to assessing cost and productivity against risk. The organization and its board must decide what level of risk they are prepared to manage. Aside from direct education and contractual obligations, there are numerous ways in which the security policy can be conveyed. In particular, the corporate intranet is a valuable tool that can be used to outline the security standards that employees are expected to comply with - as well as providing users with training materials and background information. Because it is straightforward to update, an intranet can be a much more dynamic, engaging and even interactive method of communicating. For example, organizations can adopt a different security theme each month, run it across the intranet and email users with specific information about the threats involved, hints and tips, or even simple glossaries to help users gain greater understanding of what they are dealing with.
Monitoring the policy When rolling out security, companies should include the appropriate mechanisms to identify where and when policy breaches occur. This includes encouraging employees to report security breaches by promising them anonymity or reward, for example. There is little point in having security technology in place if you don’t know when it is being bypassed. Where the security policy is automatically enforced – for example, by using one, two, or three-factor authentication to log in - then the company can be reasonably sure that the policy is being complied with. However, where policies rely on individual discretion, be it the wearing of an ID pass or storing valuable information on vulnerable PDAs, there is less assurance that the policy is being met. In these instances, effective monitoring processes such as spot checks or exercises will be required to confirm that compliance to policy is actually taking place. It is also important to ensure there are appropriate consequences for noncompliance. Positively incentivising staff is always preferable, but with something as critical as IT security, there also needs to be negative consequences for non-compliance. Users need to understand what will happen if they don’t adhere to policy. Furthermore, those penalties need to be consistently enforced and, just as importantly, seen to be enforced to ensure that the message gets across: security isn’t an option, it is a necessity.
Measuring success It isn’t enough just to roll out security policy and training and leave it at that.
Whatever the size of organization, and however sophisticated its chosen communication methods, the ability to assess the level of compliance and hence the success of those policies is essential. Although it can be difficult to measure the direct impact of security awareness programmes on the bottom line, there are other ways to assess its success. For example, recording intranet page impressions can reveal how interested people are and how much they are reading beyond the first page. Statistics gathered by a helpline can reveal increases in types of reported incidents following training or the distribution of education packages. The effectiveness of policies and training can also be assessed by establishing whether the number and cost of security breaches has reduced since their implementation. As a baseline, organizations need to establish what the cost of security breaches is, whether it is from loss of data, network downtime or wasted staff time, as well as the cause in each case. They will then be able to identify where the weak spots are, what resources are required and what targets need to be met. Employees are the weakest link in the security chain – but they are also the most important part of the business. Every company likes to boast that people are its most valuable asset, so security measures need to work with them, rather than against them. To do that, it is critical to take time to write a policy that will support users as they do their job, while making sure that they understand what they need to do, why they need to do it and what the implications are if they don’t.
Subscribe to Computer Fraud & Security at:
www.compseconline.com Alternatively, contact us for more details at Elsevier, PO Box 150, Kidlington, OX5 1AS, UK Tel: +44 (0) 1865 843687 | Fax: +44 (0) 1865 843971 | [email protected]
May 2006
Computer Fraud & Security
19