|
Business Accent
Security Policies: to be or not to be
 |
| Jaspreet Singh |
Many organisations are complacent with regard to IS in an
age when computers and information systems are proliferating at an exponential
rate, and the risks are critical
Information Security (IS) has gained greater importance as part of every business’
risk management strategy on account of recent events. Companies are moving to
the mature position that security should be integrated into the very fabric
of a business. In doing so, IS programmes need to move from being tactical implementations
of technology to becoming strategic partners in business.
One of the key elements of the internal control environment within any organisation
is its IS policy. This policy provides the high-level framework from which all
other IS security-related controls are derived. Many of us assume that nearly
all organisations have an IS security policy or something that would qualify
as such. This is not the case. According to a 1996 Datapro Information Services
Group survey of over 1,300 organisations from America, Europe and Asia, only
54 percent had an IS security policy. This was down from a high of 82 percent
in 1992, and was the lowest figure since Datapro began the survey in 1991. The
survey also indicated that only 62 percent of respondent organisations had assigned
a specific person to be responsible for computer security, and the majority
of respondents reported that less than 5 percent of their organisation’s
IT budget is allocated for security.
A separate worldwide survey by Xephon of England confirmed these findings. Xephon
found that fewer than 60 percent of responding organisations had IS security
policies. Of those that did, only one in five was based on external standards,
the rest were essentially made in a vacuum.
The results of these surveys are alarming. They indicate that many organisations
are complacent with regard to IS in an age when computers and information systems
are proliferating at an exponential rate, and the risks are critical. If an
organisation does not have an IS security policy, a significant internal control
weakness has been identified, and a security policy should be developed and
implemented as soon as possible.
Furthermore, procedures should be implemented to ensure that the policy and
supporting standards are updated to include new laws and regulations as well
as changes in technology and business practices. The policy and any updates
should be communicated to all employees on a regular basis (at least annually).
Applicable portions of the policy and standards should also be communicated
to all contingent staff (vendors, consultants, temps, etc).
Information systems security policy Information systems security policies are
high-level, overall statements describing an organisation’s general goals
with regard to the control and security of its information systems. Policies
should specify who is responsible for their implementation. These are usually
established by the management and approved by the board of directors. Because
most boards meet only monthly, changes to policies can often take several months
to become official. If the change is significant, the board may request additional
information or research before it votes on the changes. If the changes are relatively
minor, there may not be sufficient time on their agenda to address such minor
policy changes. For these reasons, it is important that IS security policy should
not be too specific.
For example, the policy should mandate that the organisation provide adequate
physical and logical security controls over computer hardware, software and
data to protect them from unauthorised access and accidental or intentional
damage, destruction or alteration. However, the policy should not specify detailed
controls such as the minimum number of characters required for passwords or
the maximum number of unsuccessful sign-on attempts allowed before suspending
a user ID. If this were the case, senior management would be constantly submitting
policy change requests to the board. As we all know, oftentimes controls that
were thought to be strong have been rendered inadequate by advances in technology.
At one time, five-character passwords were thought to be sufficient for business
applications. With hacking software now available at little or no cost on the
Internet, passwords of eight or more characters are currently required in many
organisations. It is therefore more practical to include detailed IS control
requirements in the IS security standards of an organisation.
Policy implementation
Determine the role technology plays in enforcing or supporting the policy. Security
is normally enforced through a combination of technical and traditional management
methods. This is especially true in the areas of Internet security, where security
devices protect the perimeter of the company’s information management systems.
While technical means are likely to include the use of access control technology,
there are other automated means of enforcing or supporting security policy.
For example, technology can be used to block telephone system users from calling
certain numbers. Intrusion detection software can alert systems administrators
to suspicious activity and enable them to take action to stop such activities.
Personal computers can be configured to prevent booting from a floppy disk.
Automated security enforcement has advantages and disadvantages. When properly
designed, programmed and installed, a computer system can consistently enforce
policy, although no computer can force users to follow all procedures. Additionally,
deviations from policy may sometimes be necessary and appropriate. This situation
occurs frequently if the security policy is too rigid.
Hints for policy creation
Policies require high visibility to be effective. Visibility aids in the implementation
of policy by helping to assure that knowledge of the policy is widely spread
throughout the organisation. Make use of management presentations, videos, panel
discussions, guest speakers, question-answer forums and newsletters to make
your policies visible. Also, the organisation’s computer security training
and awareness programme can effectively notify users of new policies. Introduce
computer security policies in a manner which ensures that management’s
unqualified support is clear, especially in environments where employees feel
inundated with policies, directives, guidelines and procedures. The organisation’s
policy is the vehicle for emphasising the management’s commitment to computer
security, and making clear its expectations for employee performance, behaviour
and accountability.
Computer security policy should also be integrated into and consistent with
other organisational policies such as personnel policies. One way to help ensure
this is to thoroughly coordinate policies during development with other offices
in the organisation. Formulating viable computer security policies is a challenge,
and requires understanding and communication of the organisational goals and
potential benefits that will be derived from the policies. Through a carefully
structured approach to policy development, you can achieve a coherent set of
policies. Without these, there’s little hope for any information security
system.
In their bi-annual report on information security breaches in Britain,
PricewaterhouseCoopers and the UK department of trade and industry found
some astonishing trends:
- The average cost of a serious security incident was £30,000
(approximately US $50,000), and several of those surveyed had single
incident costs that were greater than £500,000 (approx. US $825,000).
- 78 percent of companies surveyed had experienced at least one malicious
security incident, with 44 percent experiencing them within the previous
year.
- 56 percent of those surveyed were not covered or by cyber insurance,
or weren’t sure if their current insurance policies covered cyber
incidents.
- 27 percent of companies surveyed have no contingency plans for IT
breaches.
- Only 27 percent of surveyed companies have a documented security
policy. However, this number is double what it was in 2000.
Source: www.security-survey.gov.uk/View2002SurveyResults.htm
|
|
Last year we had reported an increase in the percentage of corporates
with a security policy, from 16 percent in 2000-01 to 41 percent during
2002-03. This year, those corporates with a comprehensive security policy
have expressed a higher level of faith in its effectiveness. More corporates
are expected to formalise their policies in the years to come.
The percentage of companies in India with a comprehensive security policy
remains unchanged at about 40 percent. There is an increase in the percentage
of companies that have laid down security objectives, resulting in a corresponding
reduction in the percentage of companies with no security policy. But
this effort alone may be inadequate to overcome the growing challenge
of protecting information assets. Even today, about 39 percent of organisations
either do not have any policy or operate with an informal policy. This
is almost four times the global average of 10 percent. We predict that
more organisations will formalise and adopt formal security policies in
the years to come.
Source: PwC IS Security Survey 2004 |
| Year |
2000 |
2001 |
2002 |
2003 |
1Q-3Q 2004 |
| Vulnerabilities |
1,090 |
2,437 |
4,129 |
3,784 |
2,683 |
| Total vulnerabilities reported (1995-3Q
2004): 15,629 |
| Source: CERT. www.cert.org/stats/cert_stats.html |
The author is consultant, business solutions, IT Risk Management,
PricewaterhouseCoopers. Email: jaspreet.singh@in.pwc.com
|
