This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
The Great Divide
When management doesn't pay sufficient attention to compliance monitoring, the divide between compliance and noncompliance grows. To help proactively close this gap, you need to discuss with management how to measure compliance. The C-suite needs to understand that it's not sufficient just to buy and install a security product; much more must accompany and support the product for an acceptable level of security to be achieved. That includes ongoing efforts in administrative support, user training, maintenance (patches and updates) and integration with other security systems.
Ideally, automated controls, such as an automated key management system that changes encryption keys on a regular basis, are preferred. A manual system will require more compliance checking than an automated one, but all too often, management decisions are based on up-front costs—and manual controls are much cheaper to deploy.
Security policies should be reviewed and updated annually—more frequently if an important change in the organization takes place, such as a merger or acquisition, or the introduction of a new product or service. Red flags—like an adverse audit report or a major network outage—should trigger an immediate policy review. The lack of periodic, ad hoc reviews will result in an even bigger compliance gap. And, over time, the written policy will drift farther away from your organization's needs. Enterprises should have a formalized, sufficiently funded update process and keep a running log of any network changes.
Bridging the Gap
Security is neither instinctive nor intuitive; it's your job as a secu-rity manager to make it as trans- parent, easy to use and unobtrusive as possible.
An easy way to instill security policy understanding is by tailoring the written policy to the operations and missions of various departments. When each department has an understanding of its security role, the compliance vs. noncompliance gap shrinks.
Problems related to the communication of security requirements can also crop up. Your enterprise's security will suffer if it doesn't have a formal policy that takes into account risks, regulatory requirements and change management controls. A formal risk management process is the institutionalization of security, where it's made part of the enterprise's day-to-day routines.
By slowly phasing in policy requirements, you will gain users' cooperation and trust. Sufficient training is also an important step, and testing your staff to make sure it understands the policy is recommended. Security is made easier if passing one of these tests is a user's prerequisite to obtaining information systems services, such as gaining remote access privileges.
Regular system activities need to include steps that force compliance. Business units should be required to get your signoff on new applications before they're pushed into production networks.
Risk assessments are the hot-button topic these days, but, surprisingly, organization-wide risk assessments are rarely done. Worse, assessment recommendations are rarely implemented due to budget constraints. Proper risk assessments will take a holistic view of controls on many levels, including your staff training, technical expertise, organizational design, compliance efforts, policies and documentation. The lack of a risk assessment will prevent management from appreciating the type of policies that are needed, and, as a result, the existing policy is likely to be a bad fit with enterprise needs. To prevent this, perform annual organization-wide risk assessments and verify that the people updating the policy are intimately involved with those who are responding to the assessment's findings.
A Light at the End of the Tunnel?
Many security policy products are on the market these days, but management often has unrealistic expectations about what these commercial products can do in terms of creating, updating and checking compliance, and implementing policy. While there are no silver bullets, there are products out there that can help bring organizations into compliance.
Sophisticated Web-based tools, including document management systems and online testing systems such as BindView's BindView Policy Development and NetIQ's Vigilant Policy Center, can be good investments—as long as management understands that compliance can't be fully automated.
Do your research: Investigate what commercial policy-related products offer, and be sure to communicate the findings to management. Likewise, be sure to acquaint management with the real-world contributions that security products can make, and just how much associated effort and expense will be required to implement these products in your enterprise environment.
Proper communication with management, staff and departments will assure that compliance efforts are kept on the track for success.
This was first published in June 2005