Security policies need simplifying, expert says

By Robert Westervelt, News Editor 26 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

BOSTON -- Company security policies are often unfocused and get in the way of overall business objectives. The result is a hodgepodge of security rules frequently ignored by end users and ultimately an increased risk of data leakage, said Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif., consultancy.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Wood urged attendees at SecureWorld Boston Expo, Wednesday, to conduct a thorough review of company security policies, simplifying and focusing them to be more consistent with business needs.

"Policies are supposed to be the glue that holds everything together in a cohesive fashion," Wood said. "Management needs to support it … and psychologically the whole environment needs to be fostered around valuing security."

Companies are increasingly neglecting security policies and failing to enforce them resulting in apathetic employees, Wood said, pointing out a study of 890 IT professionals conducted by the Ponemon Institute in 2007. The study found that 87% of those surveyed used USB sticks to carry company information even though company policy prohibited them from doing so. Another 46% said they routinely share passwords with colleagues, despite two-thirds of them knowing that security policies prohibit password sharing.

Security policy: Are message stubs a secure part of email retention policies? Because deleting older emails is not an option for many companies, email "stubs" have been an alternative for organizations looking to archive their messages. How to set up a remote access security policy: Interested in setting up a remote access security policy for users? Learn to use IPsec vs. SSL VPN and appropriate systems, applications and authentication methods. With data breach costs soaring, companies should review data sharing policies: Companies are sharing intellectual property in increasing numbers, but many organizations fail to monitor and enforce their policies, according to a recent survey.

Ignored security policies destroy businesses, Wood said pointing to Chicago-based Arthur Anderson LLC which never recovered from its shoddy accounting practices uncovered during an investigation of the Enron scandal. Employees there ignored Arthur Anderson's document retention and destruction policy.

"This was a fraction of their problems in the area of implementing information security policies," Wood said.

Having and maintaining a document is not enough. Sound policy needs to be refined over time to adjust for regulatory requirements, business strategy changes and risk assessments, Wood said.

"We haven't done the basics well," Wood said. "It's time and money well spent for you to go back and review your policies. The payoff for doing this is high."

Among the best practices cited by Wood is to conduct an annual risk assessment and tie it into the company security policies; uniquely tailor policies to the organization's risk profile; and create a culture of quality control whereby being in compliance with security policies is highly valued.

In the future, violations of policy could become much more visible, Wood said. Security systems are already becoming more proactive rather than defensive and business processes will continue to become more automated, he said.

SearchSecurity radio:

"The average time of a violation of policy and the discovery of that violation will come down rapidly," he said.

Wood also envisions a new series of regulations much like Sarbanes-Oxley. The regulations would be tailored toward data protection and privacy. The rules would require CEOs and other top business executives to sign off that security controls are in place. Wood also said security controls could be monitored by an appliance, much like that of a black box on an airplane, to allow investigators to track down missteps that led to a data breach. "Security policy used to be a one-size-fits-all approach, but now you need your policy to support your business in the years ahead," Wood said.

Tags: Information Security Policies, Procedures and Guidelines,  Security Awareness Training and Internal Threats,  Enterprise Risk Management: Metrics and Assessments,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Policies, Procedures and Guidelines How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary