Standards outline essential criteria for employees to comply with security policies. They can be as simple as, "All passwords are to be kept confidential," or can require the use of specific equipment, software or operating system levels. It's important to keep standards current with the needs of the organization, in terms of process used and the practicality in supporting business objectives for various departments.
Standards and policies provide the enterprise a security compliance framework, which permits each department to develop local implementation procedures. Various department heads will need to follow the same process to create a standards-based compliance plan. Best practices would include:
- Review existing procedures and practices against company standard
- Document business unit's current compliance level
- Document deficiencies
- Create a compliance plan
- Implement compliance plan
- Check compliance annually
Users also need instruction on their role for implementing standards, typically achieved via a department-specific section in the security policy manual that defines usage.
It's equally important to align standards and policies with the enterprise mission and business objectives to ensure ongoing and effective compliance. Avoid creating standards that are difficult to implement. For example, a standard such as, "All data contained on company workstations must be encrypted when stored or transmitted," is a superior objective, but a goal that will likely slow down the business process for some departments, which could result in abandonment by management and staff. No department requires encryption, all the time on all content -- obviously, encryption is required at all times on confidential information.Keep standards current via an annual review (at a minimum) to ensure they reflect the existing business needs and operating environment. For example, one problem that my wife faced recently when implementing a single sign-on solution for her organization was a requirement to change user passwords every 30 days. When I asked her why that was required, she said, "because it's a standard, and it has always been that way."
The problem with using that standard today is that users access numerous accounts using various passwords (eight accounts on average) versus when the standard was created the typical user had one account and one password.
Requiring that passwords be changed every 30 days might still be a useful standard in some instances -- but for the right business-needs and operational reasons. However, in my wife's situation, the standard remained a requirement from when security practitioners were implementing the popular access control package installations of the mid-1970s. Clearly, my wife was attempting to install a single sign-on package that was running smack dab against an outdated standard -- one that was used when a terminal room allowed users to sign up for terminal usage and remote job entry meant a card reader on another floor. The environment had changed but the standard remained the same.
The bottom line is that standards must keep pace with the changing environment and the growth of technology. Effective standards need annual reviews against current objectives and organization needs.
About the author
Tom Peltier has been an information security professional for more than 25 years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.