The 7 Top Mistakes - Part 1 By Dale McNulty
continued from Surrex Solutions Corporation information technology news
Surveys by Verisign, The Sans Institute and others consistently chronicle what is probably obvious to most InfoSec professionals but has not yet permeated the collective mind of the rest of industry: mistakes are the root of the problem and they occur at all levels of the organization.
514 IT Consulting Jobs Available
These surveys invariably divide the blame up across the organization, crediting management, IT staff and users without prioritizing the blame. This paper is the first in a series that focuses specifically on the role of management because management has primary, ultimate and legal responsibility for information security across the organization. The series delineates the most "popular" management mistakes and what can be done in order to avoid security breaches and minimize escalating costs. The focus here is on the single, most significant factor contributing to ineffective information security as well as security consulting failures. Following articles chronicle other mistakes in the approximate order of importance.
1. Management fails to establish a sound, written security policy, communicate it throughout the organization and support it. The very foundation of effective information security is a comprehensive, written security policy tailored to the needs of the organization. Every other element of security is derived from policy and management's support of it. Procedures and guidelines are derived from policy. Enforcement is enabled by policy. Liability, both corporate and personal, is mitigated by policy. Policy helps establish roles and responsibilities within the organization and, as such, helps IT and management coordinate and understand each other.
The importance, role and nature of policy are frequently misunderstood. Policy is the first and highest level of specification. It defines strategy or direction and embodies concepts that are to be achieved but it does not define how to achieve them. The "how to" is specified by procedures and guidelines that are derived from policy. Once policy is established, somebody must establish the operational procedures and guidelines that will drive the organization in its day to day operations.
While policy is essential, there is effectively no policy unless management demonstrates support for it. Management must understand the importance of policy and instill that regard throughout the entire organization. One of the most effective ways to demonstrate support for policy is to educate every person, regardless of the person's position, about security and security policy. The benefits of education go well beyond simply increasing policy awareness throughout the organization. The importance of effectively communicating policy to the organization is threefold.
a) The organization's personnel can not be held responsible for their actions unless it can be demonstrated that they were aware of the policy prior to any enforcement attempts. Simply exposing people to policy is probably not enough either. Thorough training accompanied by testing is the best way to demonstrate that people are truly aware.
An effective policy is a living document, changing periodically. Those changes need to be communicated to the organization. Additionally, it is the nature of most people to get lethargic, especially regarding abstract ideas such as security policy. Therefore, education and testing should be renewed frequently. We recommend classes and testing at least 3 times a year.
Another way of communicating and supporting policy is by incorporating it throughout the organization. For example, parts if not all of security policy should be incorporated into HR documents such as the employee manual/handbook. Once again, however, simply placing the statements in the handbook is not sufficient. How many employees actually take time to understand the contents of their employee manual? We recommend testing people on the handbook contents.
b) Education helps mitigate corporate and personal liability. While the fact of organizational liability is slowly being understood and accepted by corporate America, the reality of personal liability has not yet begun to sink in. In fact, U.S. computer crime law specifies penalties of up to $290M and jail time for the person or persons responsible for any security breach that compromises data. Adequate, written security policy communicated to the organization effectively builds the case that management has done what it has to do to establish information security throughout the organization, thereby mitigating corporate and personal liability.
c) Benefits of educating the organization go even further. It has been demonstrated that security training not only raises security awareness across the organization and increases the effectiveness of security safeguards; it reduces fraud and abuse of the entire computing infrastructure and increases the ROI on the organization's investment in security as well as the investment in computing infrastructure in general.
Policy is not only the starting point for effective information security; effective policy is ubiquitous throughout the organization. Properly managed, policy can not only help secure the organization but can also help mitigate corporate and personal liability, minimize abuse of computing resources and increase ROI on the security and infrastructure investment.
Dale McNulty is Chief Technical Officer of Surrex Solutions Corporation. Surrex has a specialized practice in managed security consulting. Surrex provides policy, independent audit, education, and intruder preparation/detection computer forensics. Dale has been active in the computer industry for more than 25 years and is considered a leading knowledge source in the field.
