Who remembers Second Life? Andy Jones, principal research consultant at the Information Security Forum, poses this question to stress the vulnerability of security policy formation and instillation to the vagaries of technology fashion. “Things do come and go”, he says. Policy has to be more about “protecting confidential information. The technology will change and will do so faster than your policy can”.
Too many organisations are writing too many long security policies – great tomes, worthy of a Victorian triple-decker author, that are more about CYA than IRM (information risk management). Such is the consensus among the information security experts interviewed for this article. What makes for a good security policy? It should be concise, clear and to the point – the point being the rational management of realistic risk.
| "Policies are often unwieldy and far too big; too rigid, and discouraging of autonomous thinking" |
| Rolf von Roessing, ISACA |
Employees are more likely to be engaged by a video that is ‘of the moment’, or a security luncheon where the quality of food you get to eat depends on how sussed you are on security, than they are by a door-stopping manual or a boring PowerPoint presentation in a conference room. Employees are, moreover, people who, in recent years, have been traumatised by recession, redundancy, and outsourcing, and have sought solace in social networking sites on which they can be over-exposed, and find themselves over sharing.
What makes for bad security policy, then, in this 2010 context? Rolf von Roessing, international vice president of ISACA (and an external adviser to KPMG) laments that “policies are often unwieldy and far too big; too rigid, and discouraging of autonomous thinking”. In order, he says, “to be pervasive, understood, and accepted [they should be] concise [and function] like health and safety guidelines on the factory floor.
“People will listen and internalise [policy] if the communication is linked to something they are interested in as opposed to something of which they are afraid. Incentives, too, are good. Again, look at manufacturing where the end-of-year collective bonus goes down with each infraction of health and safety policy”.
| "Good policy needs the support of senior management, and needs to be reviewed by them frequently, but not too frequently" |
| Neil Glasson, Land Registry for England and Wales |
Good trends that von Roessing discerns include the adoption and pursuit of standards – signally BS7799, now ISO 27001. “It is good that 27001 is being followed, and that there is a generally more holistic approach to corporate security. Less good is a trend to over-control, to get more detailed, minute, ever more elaborate regulation. What then happens is that people will start cutting corners”.
Don’t just CYA
Leo Thrush is the chief instructor for security certification body (ISC)². He has a distinguished background in the US security community as, among other things, the lead trainer and mentor to the National Security Agency (NSA) System Security Engineers (SSEs). He has trained many of the elite security personnel within both the US Government operations and intelligence communities. Thrush is currently researching a PhD on effective implementation of IT security policy within the American government, and is a professor with the University of Fairfax in Washington, DC. He is also a keen advocate of security luncheons where employees get to find out why their dining companions are chomping on steak while they’re masticating hot dogs. It pays to know your security policy.
He, too, finds much information security policy practice to be wanting. Policy should, he says, be made part of the culture of the organisation in question, tailored to what is acceptable risk for it. “Policy should be risk based, and always around where you are having issues”, says Thrush. “Many, many organisations have too many topics, far too often. There is too much CYA”.
Fifteen to 20% of policies Thrush has seen in his recent research have been fine, the remainder not so. “Many are vanilla, generic”, he says, and recounts having seen 16 pages on how to do secure software development in an organisation that produces very little code. “That was a heavy equipment manufacturer.”
Are many IT security professionals writing huge CYA policy documents because they do not understand the risk profile of the organisations that employ them? Are they, in other words, not business aligned? Thrush says that this is the case.
“Unfortunately, many IT security people do not understand business-IT alignment, so they end up writing these huge security policies that are all about protecting everything. So much effort is going into protecting what is not important.”
IT security people are in danger of being sidelined, he says. “[Part of the issue is] that IT professionals have made IT and security look easy, so that senior business people take them for granted. Unfortunately, the education of business professionals in business schools is not sufficiently technical to make them appreciate the value of what they have”.
On the infosec side of the house, “the tightly knit information security community is too self-effacing”, claims Thrush.
| "Unfortunately, many IT security people do not understand business-IT alignment, so they end up writing these huge security policies that are all about protecting everything" |
| Leo Thrush, (ISC)² |
His main advice to IT professionals is to ally strategically with the operations function. “It’s better to report to the chief operations officer and get him on [your] side. That is more effective than the continual aspiration to report to the CEO!”
Fleet-footed horses for courses
Geoff Harris, president of the UK chapter of ISSA, agrees that in terms of style policy, it should be “as clear and as lightweight as possible”, and fit snugly with “the organisation’s culture”. Andy Jones of the ISF makes similar points, and confirms that about 18 months ago the Forum made a database of ten members’ security policies. “They were surprisingly diverse, despite the ISO standard”, notes Jones. “They ranged from ‘we’ve employed you, so we trust you’ to ‘you must, you must’.”
“Some had grown organically into monsters and the challenge is now to tackle that. In large multinationals the question of ‘what our business is’ changes a good deal”.
Andy Jones comments, too, that “tickbox compliance has been an enemy of innovative good practice” in security. He also touches on the phenomenon of cramming the policy. He uses child pornography as an example. “That’s against the law, so why put it in a corporate security policy?” We don’t, he comments, put ‘don’t murder your colleagues’ into a contract of employment.
Pornography is also subject to interpretation. “What if a company publishes magazines containing images that could be seen as porn?”, asks Jones. “Moreover, “if you have a technological solution that works against porn, why put it in a policy? It just annoys people, and draws their attention to things unnecessarily”.
| "Policy should be risk based, and always around where you are having issues" |
| Leo Thrush |
However, Jones considers the notion that infosecurity staff write long CYA policies because they do not understand the risk profile of their own organisations to be “a bit harsh, though there is an element of that”. It’s better so say, in his view, that “the way we approach risk is still very much at the system level, and that is not how businesses work – we should be more at the process and information levels”.
Buy in at Land Registry
Land Registry for England and Wales is a government institution that “went the whole hog” with BS7799 (now ISO 27001) eight years ago, says Neil Glasson, security architect at the organisation. As a practitioner, Glasson declares that he is “not happy with the idea of a security policy as a huge tome that no one will ever read”. Land Registry, which participates in the corporate IT Forum − sharing and drawing insight in a ‘Chatham House Rule’ environment − has a dialogic approach to generating and enforcing security policy. The organisation has 6400 employees, spread over 19 sites in England and Wales, and has 400 IT staff.
The process of establishing the policy is cyclically consultative. Policy is approved by senior managers and then goes out to relevant staff – for example, groups of laptop users for laptop policy. It then goes to the ‘business risk’ board, then the senior management board. There is then, as appropriate, consultation, via human resources, and with the unions.
“Good policy needs the support of senior management, and needs to be reviewed by them frequently, but not too frequently”, says Glasson.
They also break policy down into functional blocs that are aspects of staff’s working lives – for example, browsing, doing email, and so on. They capture these in one or two pages, and deliver them over their intranet. Glasson stresses that this is not mere broadcast. “There are interactive glossaries, with FAQs. That is where the biggest value lies. It’s all about dialogue”. And dialogue with an IT security team who have all been put through Plain English courses. All staff at Land Registry also go through level 1 Cabinet Office-originated information assurance training; and information asset holders get level 2 training.
Glasson confirms that people have been disciplined for contravening corporate security policy at Land Registry, and he advocates telling staff about such incidents. After all, what’s the point of a stick when you don’t tell employees that you’ve used it?
Stuff your policy!
The recession and the trend to outsource IT are two external factors that determine how real you can make security policy.
ISACA’s von Roessing comments of the recession that “where there is more regulation there has been less impact. However, where IT people are in danger of losing their jobs there is vulnerability”. These are the people with the keys to the kingdom, he implies.
“If you make people feel that they are expendable, that IT is a commodity, that it is just an ugly cost item, then you are stoking up trouble” says von Roessing. “You should make sure you recognise these people and build organisational security around that. It’s a bit like R&D people in the old days – the boffins you need to look after. And you should never outsource strategic IT”.
Where IT is outsourced, “you can harmonise security policy, using COBIT in the middle. You need to certify the outsourcer in some way, and you’ll retain the right to audit”, he continues.
| "Tickbox compliance has been an enemy of innovative good practice" |
| Andy Jones, ISF |
Leo Thrush of (ISC)² agrees that “you can’t get loyalty from people whose jobs are under threat. They will extract data from your network regardless of policy. And you can’t replicate commitment and loyalty in an outsourced situation”. ISACA’s Geoff Harris maintains that there is a lot more work to be done in this area, for example with companies out in India. “Things have got better, but not as good as they need to be.”
The Information Security Forum has an initiative in the area of third-party security policy. “It’s a big issue”, says Andy Jones. “Some corporates have 500 to 600 third parties, and the outsourcers can have hundreds of clients. The ISF is one of a group of organisations intent on nailing down a ‘common assurance metric’ for outsourcing, redolent of the efforts around BS7799 fifteen years ago.
As for the Facebook generation, and the threat it is often said to pose to corporate security with its compulsion to over share, von Roessing sums up this approach: “accept, adopt and adapt. The impact will be serious in a few years time. At the moment we are in the early days – comparable with the early days of e-commerce. But it is a tidal wave that cannot be stopped”.
|