Crafting IT security policies for a large enterprise is a chore. Enforcing those policies is likewise arduous.
Sound like a lose-lose situation? In many cases, it may be. But security policies are an absolute necessity in the enterprise today, despite the hurdles and hardships.
SearchSecurity.com users agree. More than 400 voted in a recent poll hosted on the site and chose security policies and user compliance as the most pressing issue at their company.
Problem is, some companies have yet to elevate IT security as a boardroom priority and, therefore, policies are either in perpetual draft form or don't exist, said Mandy Andress, president and founder of ArcSec Technologies Inc., a San Mateo, Calif.-based provider of independent, third-party analysis of security technologies and products. She said few are approved by management and often remain a "pet project" of the chief technical officer.
"Getting management support can sometimes be tricky. You need to make them 'feel the pain' of bad security," said SearchSecurity.com reader Urmas Aamisepp. "This can be done in different ways. One of my favorites is a risk analysis. Once the management is there, they are actually part of the process, which makes the rest of the security work a lot easier."
Writing a security policy may take months and is a many-fold process that requires input from several tiers of the corporate food chain, including the executive level, IT and human resources, among others.
"The initial process of writing the policy requires getting all the necessary parties together to understand what the policy will entail," Andress said. "A cohesive decision has to be made about what you can and cannot allow and what will work best within the business plan. There's a certain level of experience and expertise required on staff to write a policy to get it to the level of a best practice."
However, if security stands in the way of revenue-generation, the bottom line usually wins out, users said.
"Management support depends on corporate culture. My company is very feature-driven. If security hampers the quick development and deployment of exciting new technologies, management becomes very uneasy," said Felix Grabmeyer, a SearchSecurity.com reader. "Therefore, my colleagues and I have to be quick and flexible in adapting new technologies and applications into the security policies in place. One possibility to do this is to prefer more generic policies over specific and very detailed ones. (Of course, this raises the problem of how to enforce them)."
Having a chief security officer or equivalent on an equal footing with the chief information officer is a key piece to the policy puzzle in terms of getting a policy approved by management and then ensuring it is enforced once approved, Andress said.
"It has to be a separate entity. A CSO needs the power to do what needs to be done. If a CSO is under a CTO, a big project that will generate revenue will get priority over an intrusion-detection system that doesn't necessarily produce revenue. The IDS will get pushed back. Policies fall into that a lot," Andress said.
Once a policy has been written and management has signed off on it, enforcement becomes the next bugaboo. Andress said enforcement comes through a combination of vigilance and adequate access to technology for the CSO, who must have the authority to enforce the policies.
"Once a policy is written, a CSO will have to communicate the policy to everyone so that they can understand what they can and cannot do," Andress said. "A policy won't mean anything if you cannot enforce it."
User Aamisepp concurs that enforcement requires training, but advises against locking employees in a classroom for formal lectures. He prefers reminders during departmental meetings, for example, and acknowledges that changing employee habits and attitudes takes time.
"There will always be people who don't follow rules. In order to handle these people you need a policy that describes the disciplinary actions taken when rules are broken," he said. "This one needs to be enforced -- even if it's someone from management who'll eventually get fired for not following company policy."
Enterprises currently in the writing process have numerous resources to consult that have been published online and in print. Most universities post their policies online, Andress said. The SANS Institute also offers templates for download. There are also software tools from vendors like PoliVec Inc. that automate the policy-writing process. Andress also said that many companies follow Charles Cresson Wood's Information Security Policies Made Easy.
Yet Andress cautioned that enterprises must tailor these templates to fit their business models and requirements.
"Some companies are finding default templates and using that as their policy without understanding a company's requirements," Andress said. "That's why companies have policies that don't fit their organizations."
Policies also have to be living documents and must be reviewed at least annually to determine if they are still relevant to business practices, Andress said.