An enterprise's information security policy is the center of its information security program. Organizations fail security audits, lose shareholder, investor and/or customer confidence and can face financial and legal issues when their security programs expose damaging vulnerabilities.
In fact, when assessing security policy failures, the law of torts asks if two conditions have been met: first, did the organization have a duty; and second, did it fulfill that duty. By investing in the implementation of a well-crafted security policy, an organization shows a strong sense of duty. However, if the rest of the information security program is not performing in compliance with the policy, that demonstrates a failure to fulfill that duty. A lawsuit against the organization based on a security flaw would have a good chance of succeeding under these circumstances.
Organizations fail security audits when their programs are ad hoc, piecemeal, reactive or implicit. In contrast, organizations can succeed when the security policy is comprehensive and integrated with other policies and business practices – resulting in strong brand value and constituent loyalty. To succeed in this way requires a well-defined security policy, consistent policy monitoring and communication of monitored results to key stakeholders.
Knowing and disarming the challenges
The development and implementation of a security policy is a painstaking process, one that on average can take a year or more to develop depending on the current state of the enterprise. An organization – particularly a multinational organization – has several challenges to overcome before a security policy can be effectively implemented. These challenges are threefold.
Political. An information security program begins with the governance of the organization. The Board and the Executive Management team define the goals and metrics associated with the program as they map to the overall vision and mission of the organization. In some instances, these oversight mechanisms will conflict with 'renegade' business processes that have proliferated unchecked, resulting in political conflict between IT divisions and/or business resource owners.
Technical. Challenges in this category are twofold. First, reconciling corporate policies with technology can be highly complicated. For instance, if a company has a statement concerning its obligation to preserve the confidentiality of customer and employee personal data, then its information security policy should specify processes for data classification (including how to handle data that might be personal), acceptable practices for maintaining the confidentiality of such data, and guidelines to follow should an employee suspect that personal information has been compromised. Secondly, security architecture must be flexible enough to encompass diverse platforms that may not naturally fit together. In other words, it must be able to operate seamlessly, enforcing a set of general rules and procedures across systems without regard to assumptions about the specific capabilities or limitations of any particular platform.
Cultural. Untrained end users can compromise the success of an information security policy and enforcement program. Training and awareness programs help everyone become familiar with the goals and metrics governing the organization's IT-based activities. However, training and awareness programs must be appropriately tailored for the target audience, demonstrating easily identifiable value propositions and providing incentives for implementation and compliance. No amount of technology will compensate for user ignorance.
Once these challenges have been addressed and an information security policy has been successfully implemented, a process must be established to survey and assess ongoing policy effectiveness and areas of potential vulnerability. A program of comprehensive security audits is the best way to police your information-security policy: a good audit is unforgiving and will reveal areas of exposure that put the organization – at all levels – at risk.
Conducting regular audits
Security audits, which are now mandated for many organizations, require security policies to map to broader corporate mandates such as privacy, as well as keep critical information and data safe. Alarmingly, many organizations, even after implementing a security policy, fail audits.
Most failed audits are the direct result of a lack of basic controls established to handle sensitive information. Most organizations understand that some data bears risk, but they tend to underestimate the actual risk associated with the loss, alteration or inadvertent disclosure of such data, and often omit some critical data from consideration. To prevent this misalignment, organizations need to know who has permission to access specific information, applications and systems. Too often, under the pressure of time, user access permissions are granted but then are not revoked when the access is no longer needed. (Paradoxically, these same organizations often have delays in provisioning permissions to employees.)
Security audits frequently expose the presence of obsolete user IDs, which can be exploited, often maliciously, to gain 'legitimate' access into corporate networks. It is an unnecessary and unacceptable risk to have permissions and access rights available to individuals who are no longer employed by the firm. Another common cause for audit problems (findings) is the presence of default passwords for systems or applications, an oversight that can be exploited all too easily. A tool that provides password update capabilities can mitigate that class of risk – if it is deployed under the governance of an effective information security policy.
Formal audits can follow any number of accepted methodologies (e.g. ISO 17799) and are offered by major consulting firms. However, many of these failures can be prevented through a process of informal self-audits that often yield insightful findings and serve to prepare an organization for the rigors of more stringent third-party audits.
Imagine an employee – not a security professional – walking down a corridor and seeing someone doing something inappropriate online. First, would she know if what she has seen was right or wrong? Second, would she choose to report it? And third, would she know whom to call?
In more formal terms: is there a common awareness of appropriate and inappropriate use? Is there a culture of security? Furthermore, does the organization have the appropriate management mechanisms in place to support that culture? If the answers are "yes, yes and yes," then you've passed the informal audit. If any of them are "no" – if employees don't know the difference between what's right and what's wrong, if they are not inclined to report a problem, or if the reporting mechanisms aren't working – then you have failed. It doesn't matter what technology you have.
A successful audit detects specific findings that expose the organization to unnecessary risks. These findings could arise from technology that isn't properly configured; individuals who are not aware of (or have incentive to use) reporting mechanisms; or, most often, business processes that jeopardize information security principles – confidentiality, separation of duties, minimum need-to-know, weak logging and tracking – in favor of other (spoken or assumed) values.
By properly assessing and classifying sensitive information and developing business processes that incorporate reporting, assessment and/or auditing, an organization can ensure that information security risks are understood and managed appropriately.
With a comprehensive security policy that's well-developed, carefully communicated and regularly audited across the organization, you will be able to answer "yes" to our original question: "Yes, the Board of Directors can assure that our organization's information security program is deployed fairly and legally in every jurisdiction in which we operate."
Bill Malik, CISA, is chief technology officer with Waveset Technologies, a provider of secure identity management solutions (www.waveset.com).
Waveset Technologies is also exhibiting at Infosecurity Europe 2003, which takes place at London's Olympia from April 29 to May 1.