Policy patrol

With a number of high-profile data breaches in the news, companies are increasingly looking to shore up their shakey IT policies with solid examples of best practice. Imthishan Giado asks security experts for their advice.

  • E-Mail
By  Imthishan Giado Published  October 24, 2008

With a number of high-profile data breaches in the news, companies are increasingly looking to shore up their shakey IT policies with solid examples of best practice. Imthishan Giado asks security experts for their advice.

When it comes to top priorities within an enterprise, IT policy often ends up lowest on the list - and it's not difficult to see why.

After all, a comprehensive IT policy that demarcates usage of IT infrastructure and regulates data handling to prevent misuse or loss is essentially a bill of restrictions for users.

Sometimes they are internal in terms of people peeping across various projects or trying to get each other’s salaries and stuff – which is very common in the Middle East. I once received a torn envelope containing my salary slip.

It gives them little incentive to follow yet another set of rules telling them what they can and cannot do.

This does not negate the fact, however, that instituting an effective, strictly-enforced IT policy is essential to ensure that regional enterprises do not suffer the kinds of embarrassing incidents of data leakage that have plagued government organisations in both the UK and US.

Nor do firms want to experience situations where highly-placed employees manage to leak confidential information or trade secrets for either profit or out of spite.

This isn't however, to say that companies in this part of the world operate completely without the safety net of an IT policy.

The problem, says Faisal Khan, senior security consultant for McAfee Middle East, lies in the fact that many firms do not adequately explain to employees that rules and regulations exist.

"People put security in HR manuals here and there, which no one reads. So you need to market security policies across your employees. People don't need to enforce security - they need to market it as an acceptable option to the human mind. Once accepted, they'll start understanding it. But the hard route is backing it with HR policies and strict guidelines and everything which should always be there, provided you have enough education for your employees," he says.

Vineet Chhatwal, managing consultant for the Global Business Transformation Group at PA Consulting agrees, saying that many departments waste valuable time writing thick rule books which people simply ignore.

He suggests a better way of looking at policy: "You should break it down into two parts. One is the mandatory processes which everybody needs to follow, irrespective of where you are in the organisation.

Second, in a lot of companies when you sign your letter of employment or attend induction programmes, they're now increasingly dedicating at least half an hour to talking about specific information security issues and typical dos-and-don'ts.

It's this whole thing about architecting a policy in a comprehensive manner and breaking it up into parts that are easily digestible capsules, you basically should give it to them byte-size so people can quickly have a look at it and understand what's required," he continues.

"The third part is about ensuring continuous IT security awareness - which is still sort of non-existent in most organisations. You can have a brilliant security policy, make people aware of it in the induction programme - but things keep changing all the time and then there are only piecemeal messages. Just like you have a disaster recovery test, you need to have security awareness events. If you get these three components all right, then you get the right balance between the investment you make in security and the value that you get in terms of secured assets," says Chhatwal.

IT policies aren't tremendously difficult to write, but Chhatwal notes that that many firms stumble by doing too much work trying to protect every single piece of data they possess.

"The policy has to be linked to whatever information assets that you're trying to protect. Everything doesn't need to be protected equally. If you're a large organisation and you're trying to protect everything based on the highest level of security, the system overheads will be huge," he says.

"So the key thing to do is define your information access based on the risk that you're exposed to. Different companies apply different methodologies. Some assess the public relations issues around a leak or a possible competitive advantage. There are some which in a high transaction kind of environment, look at availability issues and what kind of downtime is needed after a system is compromised," adds PA Consulting's Chhatwal.

When it comes to monitoring employees for actual violations, McAfee's Khan is a strong advocate of using video cameras as a form of subtle vigilance:

"It's all psychological. If there are cameras above you, even if they're not working, the guy will not try to steal. Let employees know they're being monitored - they won't do anything wrong. This will stop 80% of the regular employees from trying to do something wrong. For the remaining 20% who are too smart - we need cameras to monitor them."

There are some, however, who say that this approach will in fact have the opposite effect of engendering a sense of hostility among users who feel slighted at the lack of trust from senior management.

Ivor Rankin, practise manager, operational security services, Symantec MENA says these fears are natural - but largely unfounded.

"We're not advocating an Orwellian-type society where every individual is being monitored 24/7. The organisation has the right to monitor for violations of acceptable usage policy and to deal with these violators. Even though it's a controversial topic, the fact is that technology, if used intelligently, can give a good idea through monitoring employees of what is actually happening without being invasive and looking at people's personal documents," states Rankin.

"People think that when we talk about real-time monitoring of systems that we're going to be infringing on their privacy, going through personal documents and logging every key stroke that they type. Although it may happen in one or two organisations around the world, it's generally not the way most organisations operate," he adds.

Tareque Choudhury, head of BT's security practice offers a different take, saying that many enterprises are looking for outside monitoring:

"We're seeing a lot of popularity in outsourcing monitoring to external companies like CounterPane and Qualys.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code