Print
Discuss
Send to friend
RSS feeds
What is security? It has to be practical. Many organisations have risk management policies which read like War and Peace and one that I came across recently was more than 100 pages long.
I gave it to a student to read and he told me he didn’t know if it was a policy, a standard or a guide, and he didn’t understand anything in the document itself. There was at least a written policy, but it was over-complicated and did not deliver proactive security.
A lot of organisations have standards in place but the question is: Do they follow the standards? And does anybody really care?
A two-page security policy can capture the user requirement. They should not have to understand every detail about the organisation. The security policy should be there to assist the business to deliver its mission it should not be used to hit people over the heads when things go wrong.
Credit report supplier Experian is
an example of an organisation that is very aware of its profile in the market,
and it went to extra exceptional lengths to deliver security.
One of the challenges Experian had was to seek certification under the
ISO
17799 standard, so that the business delivered good, sound, security
practice. The certification was put in place and paid dividends.
Many organisations may not consider security enough when building new
systems. When deploying operating systems, applications or any other part of
your infrastructure, it is important to consider how security can be best
enabled.
An example is free file encryption, which came with Windows 2000 onward. People who have lost laptops often say they couldn’t afford encryption, but, in fact, they usually already own it. Encryption is not infallible, but it does heighten the security barrier.
One of the major concerns that many organisations have today is the amount of devices that users bring to work USB devices, iPods and so on.
Each and every connection in the corporate environment poses risk. If blocking technology is deployed to cope with this, the number of devices often shown to be connected to the network is very scary. It shows a lack of controls if full use of adequate technical security to monitor usability is not made.
This is not about a user coming in to attack the system; it is users who do what they can because they can do it.
A security policy is written for 99.9 per cent of users, but the clever user who is really there to attack a system is the one who knows about the policy and has read it thoroughly.
Some users will always abuse their rights, they will pose consistent and constant challenges.
John Walker is chairman of the
Information Systems Security
Association UK
expert technology panel. This article is taken from a transcript of Walker’s
presentation in a
Computing
web seminar “Managing risk: The challenges for companies”.
Visit: www.computing.co.uk/webseminars
Tags: Security, Skills, Strategy
del.icio.us
Digg this
reddit!
