OK, Folks, Look But Don’t Touch

Like it or not, Canadian business is being driven to expose itself a whole lot more than it may feel comfortable doing as both customers and partners demand greater access to precious corporate information systems.

That’s creating something of a Catch-22 for companies who must vigorously protect their valuable information resources from prying intrusion and malicious corruption, yet at the same time strike a revealing pose for a world of customers, business partners and others, providing access to their files and systems to those who demand greater convenience through open information access. It’s the classic case of diametrically opposed concepts.

Thanks to the Internet, literally anyone with a personal computer now has the keys to the kingdom as it were — to a wealth of data, information and ideas. With electronic commerce, increasingly more people choose to circumvent traditional methods of information retrieval and bureaucratic wrangling, preferring instead to do it themselves – gather the information they require or directly conduct their own transactions. And the Internet is rapidly becoming the preferred wide-area-network enabler for linking corporate enterprises and doing business in general.

Given this ever-increasing demand for information access and the absolute necessity of protecting business IT resources, what’s an IS department to do? There are a wealth of tools designed to help businesses build a buffer between their carefully cloistered information systems and the cold cruel world. But the foundation for a successful security program is to establish an information security policy that defines the scope of security, maps out the overall strategy to implementing and maintaining security, and ingrains security as part of a business culture. It’s a fundamental exercise. With a plan in place, it becomes apparent what tools are needed to meet the provisions of the policy itself.

Security policies should be driven by the business mission. It’s an exercise in striking a balance. Businesses need to ask themselves what IT services are required over the Internet, for example, to support their business goals, and what level of risk are they willing to assume? You can’t reduce Internet-related risk to zero, but it is quite possible to manage risk to a level that is acceptable when weighed against the business benefits of providing Internet-based services.

Developing an Internet security policy is a complex task, but the following guidelines may help in the effort:

TOP DOWN AND BOTTOM UP. Management commitment is always important. Top management needs to provide the teeth behind the policy, funding for education and awareness programs, detailing expectations of Internet users and revealing the consequences of violating policy. At the same time, the policy needs to be driven by the needs of business units, matching the company’s way of doing business and information owners and managers must support this.

INFORMATION-BASED. Security policy should start with the identification and categorization of the types of information the business creates, processes and manages. A standard set of sensitivity categories should be defined and documented in the policy and that policy should define controls that are applicable for each category of information and the responsibilities of the owners and users of sensitive information.

INVOLVEMENT OF A NEUTRAL THIRD PARTY. Developing a security policy often drives often drives a number of organizational decisions. Who should be responsible for incident response and escalation? Who performs security training? Who administers the firewall or manages encryption keys? Answering these questions often sets off border wards between organizational elements, so it is often helpful to either bring in a consultant to provide an unbiased opinion or form consensus teams with representatives from the business units involved.

A security policy is worthless without an awareness and education program – typically a marketing campaign designed to change user behaviour. It’s useful to post the security policy in a form that is accessible to all – on internal Web servers, for example. Other less expensive security policy awareness options might include discussion and information provided through a corporate newsletter, security briefing as part of new hire orientation, and short but regular e-mailed messages about security topics which are sent by the CEO to all employees.

Security policies are the blueprints for creating systems that link the need to know information demands of users with the need to protect IT resource requirements of business. It’s not the be all and end all, but rather, a good place to begin.

Dan McLean is research manager, network support and integration services for IDC Canada Ltd. in Toronto.