From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

Introduction

Security policies are fundamental to my professional life. However, just because someone in HR writes a policy doesn’t necessarily mean they are followed.

Policies are a double edged sword. Ideally, polices are in place to protect the workplace from data loss, inappropriate behaviour, actions upon discovering an intruder and what you can and cannot surf from your workstation PC, to name a few. Policies also aid in informing the users exactly what is expected of them while performing their job function. From a security stand point, polices restricting certain types of behaviour help in keeping the network secure and less vulnerable to attacks. If you do a quick search for statistics, companies have a lot to be concerned about. Remember a large percentage of hacks (whether inadvertent or malicious) will likely arise from the people you hired in the first place.

Many organizations suffer from Ostrich Syndrome where they simply refuse to believe that all of the hassle of using polices is worth it. “We are fine...we are a 10 person shop”, or “who would want what we have.” Attitudes such as these are extremely dangerous. Does that mean I should bring my organization to its knees with compliance issues? Absolutely not! All organizations will benefit from having some polices.

My Personal Policy Nightmare

A number of years ago I was tasked with helping roll out a Capability Maturity Model (CMM) to an organization of approximately 60 users. The organization had no idea as to why they needed CMM. The thought of “lost, but making good time” springs into mind. So many resources were committed to complying with the CMM model, the company forgot how to do business. The resulting paperwork and lack of direction ended ultimately in the company closing down. If the company had taken a little time and established a base number of polices for all to follow, I have no doubt it would have fared better than it did.

Need for Policies

Polices give direction in time of need. Have you ever watched those documentaries about pilots whose airplanes suddenly cease to work as they should? The pilot reaches for a codec of policies. The policies were written before hand and dictate exactly how the pilot should react to a given situation. The point being is that trying to deal with a situation with no policy is extremely hard and prone to error.

Which Policies Needed?

I am often asked which policies an organization should have on hand. There is never an easy answer as it depends on the business. Enforcing a safe email habit may mean nothing to the SOHO owner who works as a one man show, but in a 30-50 person company the need becomes increasingly apparent. If the organization you work for is more industrially inclined you will need the policies matching the culture. Ensure your employees are aware of the policies. Having a nag screen appear at start up is great to catch the implied consent as to reading the policies, but employees have to have access to them.

The Policies

Internet Usage Policy
This is the cornerstone for many organizations. Not only a mechanism to prevent employees from surfing inappropriate sites, this policy will now deal with viruses and the consequences of bringing them into the network. It deals with inappropriate web hosting to ban to stop those expensive servers you bought from being turned into torrents boxes by your coworkers (Don’t laugh, I have seen it). The policy should address traffic sniffing and gateway software and proxies. Users should know not to bring in wireless routers to plug into their LAN connection because the cable for their laptop is too short. This I saw in a number of Municipal Governments in Canada. Instant messaging. Do you allow it? If so, where and to whom? All users should be signing this policy when they sign their employment contract.

Acceptable Email Use
What constitutes acceptable email use is up to your organization. At the very least users should know and understand about SPAM and Phishing. Users must know not to use work related addresses for personal use. What AntiSpam software do you run? Ensure users know how it functions. Email is still the biggest entry into an organization for attackers to try to exploit. Why? The human element. If a user can be tricked into running an attachment, the bad guy will own the computer. Remember users do not own their company email it is the property of the organization.

Software Installation Policy
This policy is used to explain why some computers are locked down to prevent installation of software. Many organizations overlook this step as an effort to instil trust with their coworkers. Bad move. Trust is great, but again you must account for human curiosity. When that great new screen saver comes out and it is a Trojan which allows your secret chocolate chip cookie recipe to leak onto the internet, that trust has been lost. Only allow administrators to install software. This becoming more apparent in newer operating systems such as Vista, but it should still be passed on. Empower the users to do the jobs and give them all of the tools required. Just be careful as to the amount of access you give them.

Exit Policy
What happens when someone needs to leaves the organization? With policies in place it is a much less human process. However, all employees are treated the same and there is no room for error. What rights and privileges need to be rescinded? I worked at an organization where an employee was terminated for sniffing traffic across the network. The user was given two weeks and allowed to return to the office. The company may have felt better but the security team was pulling its hair out. Even worse if the person leaving is an administrator. Then a special exit policy would be required.

Conclusion

Policies will help your organization protect itself and help the users with their day to day tasks. They should not be frowned upon as the necessary evil. On last point to make, if you want any hope of users following the policies, they need to be embraced from management down.