Another example is the password-aging setting in Microsoft Windows. If the policy requires complex passwords, the guideline dictates the maximum age of a password, and Active Directory will be set to the maximum password life.
It's easy to see how information security policies can be used to create practical and enforceable controls for managing the enterprise. However, this process is extremely hands-on--someone has to intervene to correlate the data between the various control points, including antivirus programs, IDSes, firewalls and authentication systems such as Active Directory. Manually monitoring for policy compliance can be quite cumbersome. Potential problems include the following:
- The antivirus management console could occasionally lose connectivity with individual servers or workstations, leaving an exposure point on the corporate network. Detecting this policy deviation and correcting it can be extremely time-consuming.
- It's not unheard of for content management providers to misclassify Web sites. For example, chocolate-maker The Hershey Company's site was once misclassified as pornographic. This type of error can lead to false positives and, if the site is not classified at all, can give users a way to bypass the system. Monitoring this control is time-consuming and frustrating. Plus, managing user exceptions--those who can bypass the filtering system to conduct research--complicates matters by creating a need to track exceptions for compliance reporting.
- Although systems like Active Directory can stipulate that users have complex passwords, it is possible to bypass the intent of the control, resulting in the user having a weak password. Because of this, it's important for security administrators to occasionally audit users' passwords with a password-cracking tool.
