Effective security starts with policies

IT security policies are the foundation of any security infrastructure, and judging by findings from our 2001 InfoWorld Security Solutions Survey, companies recognize their importance. Of 500 respondents, only 3 per cent reported that their companies have no formal security policies. Creating the initial policy, however, is only the first step. A security policy should not be a static document but one that evolves to accommodate changing economic conditions, business plans, corporate cultures, and operating environments. To be effective, policies must be continually reviewed, improved, communicated to employees, and enforced throughout the organization.

Creating security policies that support all of your organization’s needs and objectives is a challenge, and this is underscored by the results of our study. Just half of those surveyed believe their company’s security policies are very well-aligned with its business goals, and another 45 per cent believe policies are only somewhat well-aligned with those goals.

The first step is to create policies that can be enforced, meaning that there must be ways of verifying when policies have not been implemented properly or followed to the letter. Additionally, policies should not discuss specific technologies. Their role in the organization is to specify, at a high level, the behaviours that the organization will and will not allow. For example, a policy might dictate whether employees may run streaming media over the company network.

There’s a fine line between creating an enforceable policy and discussing the technologies used to enforce that policy. For example, if you want to give employees remote access to the corporate network, you might create a remote-access policy that requires them to have proper security mechanisms in place on their home network and systems. How can this be enforced?

In this scenario, an effective policy might be stated this way: “Employees with remote access must give their IP address (if using cable or DSL) to the security group and implement company-defined security measures on their home systems, which include, but are not limited to, anti-virus software and firewalls. Periodic scans will be made against these addresses to ensure proper security measures are in place. Violators will have their remote-access privileges revoked.” With this wording, you clearly specify what must be in place, how the company will ensure the policy is being followed, and the consequences for failing to follow the policy.

After the security policies have been created and approved by management, the next important step is to communicate them to all employees. Besides including policies in the new-hire packet, the company should make them available in public areas for everyone to read. The corporate intranet is a great place to post security policies. Sending periodic e-mails to all employees with the policy document attached is also effective, and it’s the most popular method among our survey respondents

At a minimum, the policy document should be sent to all employees whenever changes have been made, and any changes to the policy must be clearly communicated to everyone. Again, a good way to do this is via e-mail. Send a message to all employees that briefly discusses the changes and include a link to the complete policy document posted on the intranet.

All employees should sign and date a document that says they have read and understood the policy when they are hired. This not only encourages employees to read the policy document, but it’s key when trying to enforce a penalty against an employee who has violated a policy. Having employees sign such a document annually or whenever major policy changes have been made also helps ensure that employees continue to understand the policies.

Enforcing security policies can be difficult. One of the best ways to make sure policies are followed properly is to create procedure documents that provide detailed, step-by-step guidance for implementing them. This is where the security policy should be discussed in very technical terms. For example, if your security policy says that passwords to log on to the Windows domain must be changed every 60 days and cannot be reused, then the password-procedures document should contain detailed instructions on how to configure your Windows domain controller. A policy development tool that is very helpful with creating such procedures is e-business technology’s PoliVec Builder.

Both policies and procedures should be continually monitored and periodically audited to ensure that systems are configured in accordance with security requirements. For example, a security policy might state that the only public shares that may be created on desktop systems are shares to the company file server. An audit should be able to find violations, such as shares for file transfers, and allow you to reconfigure users’ systems to conform to the rules. Without monitoring and auditing, you’ll have no idea whether your systems are misconfigured or performing as policies require.

Security policies are a crucial component of any organization’s IT infrastructure, but they are often created and then ignored. Aligning policies to business goals requires regular updates in response to changes in the business environment. Security policies must be reviewed, updated, and communicated to ensure they remain timely, effective, and enforceable throughout the organization.

Policy Perfect

1. Create clearly documented policies that can be easily monitored and enforced. Make sure you include penalty provisions if policies are not followed.

2. Disseminate the policy document to all employees. Make them sign and date a document that states they have read and understand the policy document.

3. Create procedure documents with detailed instructions for implementing and enforcing policies.

4. Continuously monitor and audit systems to ensure they continue to adhere to defined policies.

5. Review and update policies regularly in response to changing business conditions and goals.

Technology Analyst Mandy Andress (mandy_andress@infoworld.com) covers security and networking for the InfoWorld Test Center.