As we have moved further into the internet age, with increasing use of the web, intranets, extranets and ecommerce, the risks associated with these technologies have continued to grow. Yet, the implementation of corporate security policies has lagged well behind the rapid development of online communications.
Many companies still do not appreciate the huge asset value of information or to what extent internet technologies put that asset at risk. They have simply not thought through the consequences of losing corporate information. They happily spend money on the physical security of their building and contents, but neglect the security of company information, the loss of which may be much more damaging financially than the loss of actual physical assets.
Security policies aren't just about stopping hackers or viruses, although these remain critically important issues. The increased diversification of web-based activity is presenting new challenges.
The easy distribution of email also creates many opportunities for libellous publishing. An email may contain defamatory comment made by (often junior) staff, who have not been informed of the impact of appropriate policy on this area of their activity.
Similar policy generation and awareness issues arise in relation to individual involvement in chat groups, use of email for personal purposes, and the accessing of inappropriate web sites during working time (e.g. sports, leisure and, of course, pornography).
All these issues and more should be dealt with in a security policy. A security policy is a wide ranging document that is about managing the business as a whole, managing it securely and protecting a company's key asset—information.
Senior-level management
The impetus for a security policy must come from the top. Senior managers must make it clear that an essential part of the company's success will come through the proper and best use of information.
They should stress that information needs to be properly managed and protected, and that senior management will be actively involved in drawing up a security policy to this end.
Management needs to make the policy reflect the ethics and philosophy of the company and to demonstrate to staff that the board is committed to making it work. They also should make it clear that they expect everyone in the company to share this commitment.
In many companies, formulating and managing the security policy remains the responsibility of the IT department. This approach—often a default position—can create a number of problems.
Firstly the IT department's view of security may not necessarily reflect what senior management would want. And secondly, if IT staff have to implement and enforce the policy, it can put them in a very difficult position. Other staff may simply not recognise that they have the authority to dictate to them and may refuse to co-operate.
Security policies have a number of human, financial and legal consequences. Great care needs to be taken in formulating policy particulars, in creating the standards against which a successful implementation of the policy will be measured, and in presenting that information to staff.
Charles Cresson Wood's "Information Security Policies Made Easy" CD and book is a particularly useful guide to the principles that should underpin the formulation of successful policy and strategies for implementation.
If you are worried about hackers accessing company information, for example, you will already be thinking about encryption. The book advises on the issues. You should carefully consider the type of information which has to be encrypted, and resist the temptation to encrypt everything. Restrict the use of this safeguard to properly secret information.
So you encrypt secret data sent over networks because it could be wire-tapped. You encrypt secret data being transported on computer readable storage media. You encrypt secret information when not in active use to prevent it being inadvertently disclosed.
But encrypt indiscriminately, and you bind together all the information required for efficient day-to-day running of the business.
Any temporary problems with your encryption software systems and everything stops.
Selling the security policy
You need to sell the value of a security policy to staff. Introduce it over their heads and you're likely to get rebellion.
Stress that the policy is about a corporate commitment to protecting the company's information. Promote this commitment as a key factor in business growth and a key factor in protecting jobs for the future.
The message is: this policy is not just a series of bureaucratic, annoying rules which slow everything down and cause inconvenience.
And it's not about the company operating a big brother policy. Instead, the policy is a key element in carrying forward the company's ethics and corporate standards, and is for the benefit and prosperity of the vast majority of honest and responsible employees.
Security measures can provide additional information on various aspects of the business. The benefits of being able to access and learn from that information should be made clear.
Intranet monitoring—which means identifying the elements that are accessed regularly, and those that are disregarded—will help you plan a responsive network for the future, making information more easily and readily available to staff.
Monitoring will also tell you who is using your web site so you can follow up on hot sales leads.
You should be continually sensitive to the differing effects that security policies will have on staff. So if you decide to monitor emails because some confidential information has been passed to competitors, all you need to do is check outgoing emails.
Checking every message that passes around your offices will stop the business working effectively and cause a lot of annoyance to everyone. Remember, the human consequences of security measures are just as important as the legal and financial ones.
An effective communication of policy—which means telling staff what they have to do and why they have to do it—is central to the challenge.
A quick email on a policy that will require major changes in the way people work is not enough.
A successful policy will require explanation and promotion in a structured programme of group and individual meetings. Intranet and newsletters should be used to support and reinforce the principles of the policy.
Successful monitoring
When you monitor do so overtly not secretively. If you're monitoring for hackers, tell staff how many attempted breaches of the firewall have been successfully thwarted because of the policy. If you intend to periodically check emails to see if anyone has distributed pornography, then make that intention clear, and the reasoning behind it.
Periodic checks mean you don't have to continually monitor. And if the penalty for distributing pornography is dismissal, then carry that out if someone is caught.
You need to show that you are serious about your policy and this will provide a powerful deterrent. As in all things, if people do something they know is not allowed and get away with it, they will just do it again, and others may start imitating them.
The processes
The first step in planning for a security policy is to undertake a study to assess your company's risk. This should use a risk assessment/analysis system to identify and prioritise key areas of exposure.
Then you can begin to formulate a policy. First, the decision to take a certain action. Next, the standards that explain why this should happen and the issues surrounding it. Third come the tools, such as firewalls, authentication and encryption, which are the means through which the policy will be carried out. Unfortunately, for too many businesses the tools arrive first and the fundamental thinking never gets a chance to happen.
A not uncommon scenario is for the managing director to come into the IT department (having read about a hacker posting a major company's secret marketing plans on the internet) demanding to know what IT is doing about this. This just produces a knee-jerk response, with spending and effort expended in installing security tools which are not necessarily what is most needed or most appropriate at the time.
Security is an ongoing issue. The risks change continuously and your policy should be regularly reviewed. Remember: security will always be a trade-off between the need to respond to potential threat and the need to let your business operate efficiently.
Perfection, in information security terms, is a fundamentally flawed policy goal.
When you review policies, it is vital that the principles of staff involvement that underpinned policy development are carried through to the ongoing assessment process.
Put the emphasis on success. Praise staff for the fact that the company succeeded in making the website totally available for one whole quarter; that there were 2,000 attempted breaches of the firewall and none were successful; that the latest macro virus caused companies all over the world to stop using e-mail for 48 hours, while the virus control system that was installed as per your policy prevented similar disruption.
Finally, never forget that the most important single element in security is the co-operation and commitment of staff.
The foundations of your successful information security policy are the people who will work within it. Explain the importance of information, explain the reasons for security policies, explain why things have to be done in a certain way, emphasise the benefits of security and praise success.
