Honesty, and Good Security Guidelines, are the Best Policies

Carl Weinschenk

On a conceptual level, virtually no executive would argue against the need for well thought-out security policies and procedures. Thinking security through clearly, writing down the steps to be taken, and making sure that each employee is aware of them is made more of a no-brainer by legal and regulatory compliance requirements.


The bottom line: If a company loses data, it could be in trouble. If it loses data and hasn't created a reasonable set of policies and procedures, it definitely is in trouble.


Setting policies isn't easy, however. In this ComputerWorld piece, researcher Anton Chuvakin offers five flaws in most companies' security policies. The first is not really a flaw in the policies -- it's not setting any at all. It logically follows that the next flaw is not updating the policy as the organization's standing -- and its technical holdings -- shift. The third flaw is having a policy, updating it -- and not ensuring that employees know what is going on. Focusing too much on technology and not enough on the real world and how employee act is the fourth class of mistake. Finally, Chuvakin writes, policies must be written in understandable language. This, of course, is something with which IT sometimes struggles.


Not following privacy and security policies can be criminal. Customers whose data goes missing and the government take breaching security policies (or not having a set in place) extremely seriously. Privacy Law Blog, a site kept by the law firm of Proskauer Rose, describes a consent decree that the Federal Trade Commission and a retailer named Life Is Good have agreed to in principle. The agreement will subject Life Is Good to audits for the next 20 years. The bottom line of the post, which goes into legalistic detail, is that the company's privacy policy promised to protect customers' data. Life Is Good subsequently failed to take even the most rudimentary steps to do so. Ironically, the list of five things the company would agree to do as part of a proposed settlement reads like the basis of a pretty solid security policy.


This is a very good piece about security policies written by Gene Schultz, the chief security information officer of High Tower Software. It also is the first of three installments to date on the topic (the later two are linked to from the posting). This installment is a bit of an overview. Schultz begins by saying the security policy when he arrived at Tower did not cover the situation that actually existed in the company. It also had provisions that employees would find hard to execute. He then describes how he rectified the situation, starting with a conversation with the CEO. Schultz considers policy to be a high-level document that provides guidance and direction. Standards and procedures are derived from the policy and are more of a tactical roadmap on how to fulfill the policy.


Policies are growing more important and more complex. The difficulty of comprehensively protecting data is growing in lockstep with its portability. This Cisco study suggests that employees working from home are more apt to relax and not remember that they must adhere to security policies just as they do in the office. Likewise, telecommuting leads to more non-employees, such as family members, using equipment. These folks are not cognizant of, or covered by, the security policies.


This useful overview of security policies from Symantec does contain some company hype but is, for the most part, neutral in tone. The piece begins by outlining the benefits of having a policy. The second element offers tips on formulating policies. It includes a pyramid describing the structure upon which the policies are built. The layers are the actual environment; security measurement tools; procedures, guidelines and practices; standards; and, at the top, the resulting policy. Perhaps the most useful element is a listing of almost 30 standards and regulations that must be accounted for in security policies (depending, of course, upon the industry). Links to more information about each are included.


The final summary inadvertently makes a good point about policies in general. A beneficial security policy is a complex undertaking that requires a great deal of deliberation. Indeed, it seems extremely easy to create policies that actually harm the organization by creating a false sense of security.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.