The missing element

People and IT usage patterns need to be taken into consideration when writing a security policy, says Sathya Mithra Ashok

  • E-Mail
By  Sathya Ashok Published  August 6, 2008

A security policy is pretty much the first place most people start when they are considering investments in security technology. But, how exactly does an enterprise go about writing a policy?

This is the question that I have been posing to vendors and end-users alike over the past week, and I have been receiving a variety of inputs on the things to keep in mind.

For instance, the necessity to classify data and understand the importance of each piece of information within an organisation, such that the firm knows thoroughly the relative importance of the information it needs to protect.

This should be followed by an assessment of threats and what potentially could harm the company's data. This would include analysing whether the company is more likely to be attacked by external elements or has higher chances of leaking data through internal employees.

That done, the company can do an incident analysis, understand the potential damage that each possibility can cause and then draw up a security policy. This policy should ideally include not only how employees and the IT team can prevent attacks (internal and external) from happening, but also the escalation and response process if it does happen. (Read October's NME for the full-length article on how to go about writing a security policy).

All well and good, but there is a slightly obvious missing piece here - people. A security policy has to be structured around how users behave or like to behave within an organisation. In writing a policy, the IT team will first have to understand how the majority of employees within the organisation behave or use their IT systems. The more closely linked a policy is to the way in which employees already use their systems, the more successful the policy can be in the long term.

In the process of writing the security policy, the IT team has to enforce intense teamwork among the various departments of the organisation. They have to bring together heads of departments, as well as their team members, to understand thoroughly how they use their systems and what they are doing wrong if any. This should ideally be done in conjunction with data classification and threat analysis.

Only after fixing on these elements can a comprehensive policy be drawn up. However, more often than not, this is where most enterprises tend to make a mistake. The IT teams can get so involved in classifying data, assessing threats and conducting penetration tests that they are likely to forget about the ultimate end-users, who have to understand, implement and follow the policy in order to ensure that it works.

It is essential that more organisations take into consideration the people element when forming a policy. Otherwise, they might find that their policy, while fantastic on paper, does not really work they way it rightly should.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code