BOSTON -- Company security policies are often unfocused and get in the way of overall business objectives. The result is a hodgepodge of security rules frequently ignored by end users and ultimately an increased risk of data leakage, said Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif., consultancy.
Wood urged attendees at SecureWorld Boston Expo, Wednesday, to conduct a thorough review of company security policies, simplifying and focusing them to be more consistent with business needs.
"Policies are supposed to be the glue that holds everything together in a cohesive fashion," Wood said. "Management needs to support it … and psychologically the whole environment needs to be fostered around valuing security."
Companies are increasingly neglecting security policies and failing to enforce them resulting in apathetic employees, Wood said, pointing out a study of 890 IT professionals conducted by the Ponemon Institute in 2007. The study found that 87% of those surveyed used USB sticks to carry company information even though company policy prohibited them from doing so. Another 46% said they routinely share passwords with colleagues, despite two-thirds of them knowing that security policies prohibit password sharing.
Are message stubs a secure part of email retention policies? Because deleting older emails is not an option for many companies, email "stubs" have been an alternative for organizations looking to archive their messages.
How to set up a remote access security policy: Interested in setting up a remote access security policy for users? Learn to use IPsec vs. SSL VPN and appropriate systems, applications and authentication methods.
With data breach costs soaring, companies should review data sharing policies: Companies are sharing intellectual property in increasing numbers, but many organizations fail to monitor and enforce their policies, according to a recent survey.
Ignored security policies destroy businesses, Wood said pointing to Chicago-based Arthur Anderson LLC which never recovered from its shoddy accounting practices uncovered during an investigation of the Enron scandal. Employees there ignored Arthur Anderson's document retention and destruction policy.
"This was a fraction of their problems in the area of implementing information security policies," Wood said.
Having and maintaining a document is not enough. Sound policy needs to be refined over time to adjust for regulatory requirements, business strategy changes and risk assessments, Wood said.
"We haven't done the basics well," Wood said. "It's time and money well spent for you to go back and review your policies. The payoff for doing this is high."
Among the best practices cited by Wood is to conduct an annual risk assessment and tie it into the company security policies; uniquely tailor policies to the organization's risk profile; and create a culture of quality control whereby being in compliance with security policies is highly valued.
In the future, violations of policy could become much more visible, Wood said. Security systems are already becoming more proactive rather than defensive and business processes will continue to become more automated, he said.
"The average time of a violation of policy and the discovery of that violation will come down rapidly," he said.
Wood also envisions a new series of regulations much like Sarbanes-Oxley. The regulations would be tailored toward data protection and privacy. The rules would require CEOs and other top business executives to sign off that security controls are in place. Wood also said security controls could be monitored by an appliance, much like that of a black box on an airplane, to allow investigators to track down missteps that led to a data breach. "Security policy used to be a one-size-fits-all approach, but now you need your policy to support your business in the years ahead," Wood said.