Published: 24 Jun 2005
Policy & Process
To gain buy-in and support for your security policies, it's best to start at the top.
A clearly written security policy that's supported by management, properly implemented by technical staff and complied with by users is the dream of every security manager.
The real world, though, is a bit different. When asked by Information Security what's making their jobs harder, 58 percent of security managers pointed to user ignorance and policy noncompliance. Close behind were business units ignoring risk and threats (51 percent), and the lack of management buy-in and support (43 percent).
Security polices aren't something that are written and put on a shelf to collect dust. They're living, dynamic documents that should embody the mission and operations of the enterprise. That means how the policy is created, implemented, communicated and enforced is just as important as what the policy says.
Bridging the gap between policy intent and policy practice isn't difficult. Like most things in security, it's about process. Security managers can use some relatively simple techniques to get everyone on board with security policies and on track for continual compliance.
Right from the Get-Go
The failure to obtain sufficient buy-in from top management prior to issuing a policy is one of the most pervasive problems on the track to compliance.
Often, security policies are agreed to and approved by a CIO rather than a CEO, and the subsequent conflicts between the two executives can undermine enforcement efforts. Be sure to get approval from both parties. Also, get management to approve your department as the issuing authority for all security policies; this will help prevent and resolve disputes with noncompliant departments.
As a security manager, you are responsible for outlining trade-offs with management before a policy is implemented. You need to perform the necessary research, and brief management on the good and bad news of each proposed policy, including any overlap or conflict it may have with business operations. These overlaps and conflicts should be worked out before the policy is issued.
Also, talk to management about what should exist under the policy, and then obtain the budget to make the necessary changes. Leaving this discovery and correction process until after the policy has been issued can result in management feeling duped into spending more money than necessary on security. If this happens, you can be sure that future budget requests will be heavily scrutinized.
The upfront work also needs to include risk assessments where those writing the policy become familiar with the organization's security real estate. Without this information, policies are likely to be stiff, rigid and ill-suited to your organization. This will, in turn, encourage staff members to deviate from, if not ignore, the policy.
Poor project planning and inadequate follow-through may also come from writing and publishing a policy without understanding the consequences. You should have a rigorous project-planning and status-reporting system in place to oversee the implementation of the policy requirements.
The Language Barrier
When planning compliance projects, management often allocates insufficient time and staff with the belief that, by setting aggressive goals for the installation of a new security system, employees will complete the compliance project because of the stiff deadline. However, the result is often demoralizing for your security team.
A chief complaint among security managers has been inadequate resources to handle policy compliance. Although policy may dictate strong fixed passwords, for example, a lack of tools to check policy compliance will ensure that weak passwords remain in use.
Better communication with management over software investments and the legal standard of due care will help scale any barriers created by a lack of policy enforcement.
Considerable effort must also be devoted to training and awareness—most notably, with management. Policymakers should tie in business objectives before the policy is written, and emphasize at every opportunity how security policies inherently support business objectives. In other words, good security means good marketing. Strong security policies posted on the company Web site will encourage customers to do business with your company. When management understands the synergy between business objectives and security compliance, resources and support will be easier to obtain.
The Great Divide
When management doesn't pay sufficient attention to compliance monitoring, the divide between compliance and noncompliance grows. To help proactively close this gap, you need to discuss with management how to measure compliance. The C-suite needs to understand that it's not sufficient just to buy and install a security product; much more must accompany and support the product for an acceptable level of security to be achieved. That includes ongoing efforts in administrative support, user training, maintenance (patches and updates) and integration with other security systems.
Ideally, automated controls, such as an automated key management system that changes encryption keys on a regular basis, are preferred. A manual system will require more compliance checking than an automated one, but all too often, management decisions are based on up-front costs—and manual controls are much cheaper to deploy.
Security policies should be reviewed and updated annually—more frequently if an important change in the organization takes place, such as a merger or acquisition, or the introduction of a new product or service. Red flags—like an adverse audit report or a major network outage—should trigger an immediate policy review. The lack of periodic, ad hoc reviews will result in an even bigger compliance gap. And, over time, the written policy will drift farther away from your organization's needs. Enterprises should have a formalized, sufficiently funded update process and keep a running log of any network changes.
Bridging the Gap
Security is neither instinctive nor intuitive; it's your job as a secu-rity manager to make it as trans- parent, easy to use and unobtrusive as possible.
An easy way to instill security policy understanding is by tailoring the written policy to the operations and missions of various departments. When each department has an understanding of its security role, the compliance vs. noncompliance gap shrinks.
Problems related to the communication of security requirements can also crop up. Your enterprise's security will suffer if it doesn't have a formal policy that takes into account risks, regulatory requirements and change management controls. A formal risk management process is the institutionalization of security, where it's made part of the enterprise's day-to-day routines.
By slowly phasing in policy requirements, you will gain users' cooperation and trust. Sufficient training is also an important step, and testing your staff to make sure it understands the policy is recommended. Security is made easier if passing one of these tests is a user's prerequisite to obtaining information systems services, such as gaining remote access privileges.
Regular system activities need to include steps that force compliance. Business units should be required to get your signoff on new applications before they're pushed into production networks.
Risk assessments are the hot-button topic these days, but, surprisingly, organization-wide risk assessments are rarely done. Worse, assessment recommendations are rarely implemented due to budget constraints. Proper risk assessments will take a holistic view of controls on many levels, including your staff training, technical expertise, organizational design, compliance efforts, policies and documentation. The lack of a risk assessment will prevent management from appreciating the type of policies that are needed, and, as a result, the existing policy is likely to be a bad fit with enterprise needs. To prevent this, perform annual organization-wide risk assessments and verify that the people updating the policy are intimately involved with those who are responding to the assessment's findings.
A Light at the End of the Tunnel?
Many security policy products are on the market these days, but management often has unrealistic expectations about what these commercial products can do in terms of creating, updating and checking compliance, and implementing policy. While there are no silver bullets, there are products out there that can help bring organizations into compliance.
Sophisticated Web-based tools, including document management systems and online testing systems such as BindView's BindView Policy Development and NetIQ's Vigilant Policy Center, can be good investments—as long as management understands that compliance can't be fully automated.
Do your research: Investigate what commercial policy-related products offer, and be sure to communicate the findings to management. Likewise, be sure to acquaint management with the real-world contributions that security products can make, and just how much associated effort and expense will be required to implement these products in your enterprise environment.
Proper communication with management, staff and departments will assure that compliance efforts are kept on the track for success.