CHICAGO -- Developing a sound security policy is an ongoing task as new challenges spring up virtually every day.
"Creating a security policy is really, really hard," said Chris Christiansen, IDC's program vice president for e-business infrastructure and security software at the Security Decisions 2002 here Wednesday. "Getting it right is increasingly difficult."
Policies aren't static documents but flexible rules that address the ever-changing security landscape. A year-old policy may be outdated today. "You may feel like a dog chasing its tail but it does get a little easy," Christiansen said.
An effective policy will take lots of heated discussion among all the involved parties. No one wants to be inconvenienced by security. Plus, different areas of the enterprise have different conceptions of what security really is.
"There's a lot of back and forth between the three groups (HR, legal, business unit)," said Lewis Kok, an administrator with Zurich Insurance. "There's some arguing, but it's necessary to have a strong policy in place."
Though such a process isn't pleasant; it's imperative to create a policy that addresses security in a workable fashion. "A policy that isn't followed is worthless," said Michael Lawrence, network administrator with the city of Lenexa, Kansas.
Lawrence is in the process of developing a new security policy. The project was prompted by the city changing ISPs. As a result, the volume of outside threats increased 1,000%, Lawrence said.
"I have made a nimble here, a nimble there," Lawrence said of the changes. "In two weeks, there will be a slap."
The city's new security policy will address some of the newer security concerns. For example, Lawrence has blocked access to outside Web-based e-mail accounts. The new policy will also prohibit instant messaging.
A policy must also be flexible so it can accommodate various situations, said Greg Francis, senior system administrator with Gonzaga University in Spokane, Wash. The university's security policy could be a little more comprehensive but it's very enforceable.
The university faces unique issues such as students using their own computers on the Gonzaga's network from their dorm rooms. Is the school responsible for students using the school's network to download MP3s to their personal computers?
Gonzaga's security policy was written four years ago with an eye towards being broad enough to address new issues, Francis said. For example, the downloading of MP3s is addressed by prohibitions on improper use of copyrighted material.
"Security policies for hospitals also have special requirements. They cannot tell doctors what they should do. Not like a bank would tell what their tellers what to do," said J.D. Hedgespeth, information security officer for Catholic Healthcare Partners in Cincinnati.
A policy cannot impede doctors from treating patients. "Just the process of logging in and out takes time away from treatment. Some may say, 'what does it take? 10 seconds' Well, yes, but in some cases, 10 seconds may be too long," Hedgespeth said.