Tips to Implementing Your Security Policy
Posted on June 19, 2008
Implementing a security policy is often viewed as a one-week, one-man project. Decision makers do not view security policies as ongoing projects, such as developing software or maintaining a website. Nor do they feel anybody outside of IT need to be involved. But surprisingly, like many other projects, security policies also evolve and are full of bugs that need fixing. Time is the only factor that allows for such improvements, but time is all too often overlooked.
Common Pitfalls of Policy Enforcement
Companies will be successful in strategically planning out their security policy, but will run into problems when it comes time to enforce it. This can stem from a poorly executed policy in which policy makers did not anticipate the amount of time it would take to properly plan, educate, and train employees.
Just like a company should attempt to motivate all their employees on a new idea or vision, a security policy should be executed in the same manner. People need time to buy into it or else it is bound to fall apart. The most common pitfall in enforcing a security policy is the lack of executives continuously practicing the new policies themselves. A security policy needs to unfold in a top-down direction in order to be effective.
Another common pitfall of enforcing a security policy is the lack of consideration for the employees. Too many decision makers feel that if a new policy is put into place that all employees should fall in line without any complaints. But employees will feel more appreciated and be more willing to comply if their efforts to change are actually recognized and rewarded. Your company may want to consider planning an incentive program to go along with your security policy. If not, at least make it as easy for the users as possible to adopt the new policies.
Structuring Your Policy Roll-Out
During the planning stages of the policy, security risks within procedures were identified, as well as a plan for how these risks will be handled. The improvements that need to be made should be listed in order of importance.
Ths list(1) shown below can be utilized as a cheat sheet to help categorize the procedures into different implementation groups. Each change should be categorized as having high or low user impact (UI), and having high or low security impact (SI).
For example, say you want your IT administrator to change the default passwords every month, as part of your new security policy. That would not impact the average user much, but it would be a high security benefit. Therefore, it would be placed in the first group.
1) LOW UI, HIGH SI - Has minimal user impact so changes can be easy and immediate. (Ex: Changing default passwords every month)
2) HIGH UI, HIGH SI - Requires education and training with a high impact on security. (Ex: Deployment of new security software such as encryption)
3) HIGH UI, LOW SI - Requires education and training with only a low impact on security. (Ex: Holding meetings to educate users about new security policies)
4) LOW UI, LOW SI - Can be deferred until after completion of other solutions. (Ex: Moving one security solution that works in one dept. to another dept.)
(Go here to view this list as a matrix)
Prioritizing Your Policy Changes
The quadrants are numbered to specify which changes should be implemented first. Keep in mind that although activities in quadrants 2 and 3 require more time for a learning curve, the education and training can take place at the same time that changes in quadrant 1 are being made. Changes placed in quadrant 4 are not as urgent and do not provide much improvement to existing security and therefore are usually deferred to a later time.(2)
The Move toward Policy
Now is the time for companies to start taking security seriously. Whether its an insider who steals customer records from Fidelity National Information Services or a hacker who breaches the information network of Ohio State University, stricter policies will help to prevent such incidents, both intentional and accidental.
Resources and tools have become more readily available than ever before, so the process does not need to be performed alone. There are companies out there who can meet your needs once youve identified them. If the tips provided in this article are applied in the planning process of your companys security policy, it should lead you on your way to creating a more safe and secure environment for your employees and your customers.
End Notes:
1) Youve Got a Security Policy. Now What? Implement & Integrate. 3 Jan. 2007: 4.
2) Ibid.
How to Extract IDs and Security Policy from Windows Servers when Conducting Security Assessment
Security Policy for Windows ServerOne of the first area to review is the security policy of your PC or server. If you take a closer look at PCs or ser...
How Do We Ensure Food Security?
Food security is a complex issue and there are arguments in favour of both market and regulatory mechanisms to ensure access, availability and afforda...
Computer Consulting Services is About Selling Peace of Mind
For many small business clients, your computer consulting services will be an important part of an insurance policy. Your service agreement will tell ...
Security Risks in Outgoing Email Often Overlooked
The threat of an employee inadvertently infecting a business computer network via malware received through a work email or instant message is one that...
Great Boy’s Birthday Party Ideas
Planning a party can be quite hard, especially if it's for a child. The fact is, most people today fail to realize just how much the preferences of ch...
Email in Business - Private Email Is A Myth
Email has become vital to business communication and operations. Today, more than 90 per cent of workers cannot function as effectively, or at all, wi...
How to Avoid the "Blog Firing"
Believe it or not you can get fired for writing a blog and its called foolish blogging let me explain. Employees are getting fired for wring blogs re...
IT In Government - Information Security Requires Proactive Measures From Government
African government departments can no longer afford to sit back and allow security consultants to assess their risk levels, experts say.In addition to...
5 Threats that make your Website Vulnerable, Part 5: a Layered Approach and Conclusion
Two very old adages in security are "least privileges" and "defense in depth." The idea is to only give software enough privileges to get the job don...
5 Tips for Securing Your Open Source CMS
Recently, one of my clients that uses an open source content management system (CMS) was hacked several times. I've talked about CMS's in the past. Bu...
Ramadan To Be Hanged: Good Work Boys!
Ramadan to be hanged: Good work boys!Im not sure why, how and when the UN came up with a policy to not kill, killers, or to save killers, or to preser...
Affirmative Action Versus Diversity - What’s The Real Difference?
Providing all individuals with the opportunity to reach their full potential is about more than just compliance. It is about developing cultures that ...
Internet Security
Not everyone is happy with online security. I have heard others say that their computers did not run right after installing the Internet security sof...
Don’t Be a Victim of Online Crime
There have been some recent reports about security of your personal information, bank account information and credit card information. More and more c...
How the US Aims to Address the Problem of Declining Volumes of Foreign Students
It is a known fact that since 2002, the number of international students going to the United States to study has been steadily declining. The reason i...
» Filed Under
Network Security Information