IT pros spend a lot of time doing fun things like cleaning up machines to get rid of malware and dealing with the consequences of sensitive data loss by employees. You’d think that with so much experience – and pain – under their collective belts, they’d naturally focus their attention on preventative measures, such as beefing up security policies. But surprisingly, they don’t.
“As far as companies actually having policies, it’s more rare than you would think – even for very large companies. Often they’re very limited and not customized – just pulled off the Internet,” says Alex Hamerstone, a security consultant at SecureState. He writes a few hundred policies a year in his role there.
Of course, security policies must start with the basics. “In most cases, IT security needs be neither radically complex nor confusing; common sense and basic protection are generally more than sufficient,” says James Quin, lead research analyst at Info-Tech Research. Policy #1, then, starts at the ground floor, with foundational requirements to end users that they utilize at least 7-character password protection for access to corporate resources, and that forbid employees to share passwords and user names.
Users also need to take proactive protection when they’re away from their systems, to protect data against insider activity as well as outside penetration. This seems obvious, but isn’t always followed. Policy #2: End users must lock up their desktops when they walk away from them. This policy not only helps prevent access to data by those with malicious intent, but also it’s just a sound precaution for avoiding accidental breaches in compliance requirements. So, it’s particularly effective in organizations subject to regulations securing consumer and patient data.
Tip: Technical controls matter a great deal to enforcing security policies. As an example, if you say you need a 7-character password in your written policy, you need to require that in Windows Group policy or other software that supports that. Erdman also points out that Windows 7 has much better security controls in important areas that IT can leverage to secure end user computing. AppLocker, for instance, is a set of control rules that administrators can setup which determine what applications certain users are allowed to run, he says, and BitLocker’s full disk encryption capabilities address the fact that data no longer lives securely in the data center but on traveling laptops’ hard disks.
Securing systems against breaches of industry or regulatory requirements, from PCI to HIPAA, is a reason to institute Policy #3: End users may not access their personal email accounts on corporate-owned resources. An incident at Ohio’s Akron Children’s Hospital last year sheds light on why: A man e-mailed commercial keylogger spyware to an ex-girlfriend’s personal Yahoo account, so that he could monitor her actions on her own PC, according to reports of the incident. But she wound up opening the message on a shared computer in one of the hospital’s departments and installed the program on that system. As a result the man was e-mailed more than 1,000 screen captures that included details of medical procedures, diagnostic notes, and other confidential information pertinent to more than 60 patients, reports said.
Encompass All IT-Owned Infrastructure…
That incident could have been prevented if employees at Akron Children’s Hospital understood a policy not to install any application on their desktops that hasn’t been IT-approved. But even if such a policy already exists in an organization, it can be made more current by making it clear that it extends beyond traditional PC systems. Policy # 4: End users may only install applications noted on the published list(s) of acceptable applications to any corporate-owned device. That includes desktop PCs, laptops, and wireless devices. Employees otherwise are strictly prohibited from downloading/installing applications to any of these devices. All other applications must be approved by IT before end users may download or install them. Employees are not authorized to download any unapproved software. (That’s a long one but you can’t be too careful when it comes to being clear here.)
Wireless mobile devices’ increased ubiquity and capability means that, in many respects, best security practices should be to treat them no differently than laptops are treated, says Quin. For example, “Encryption of the hard disk of a laptop is a great way to stop attackers from getting data by stealing laptops,” notes Steve M. Erdman, Hamerstone’s security consultant colleague at SecureState. So why not apply that same thinking and deploy encryption technologies to all portable computing devices containing restricted or confidential data? Or even to desktops that may contain a certain number of restricted or confidential data records?
Getting encryption technologies on board your systems is a job for IT and InfoSec, but IT also needs to create encryption policy for users. To that end, Policy #5 should require end users to take actions such as reporting any known, unencrypted restricted data that exists on portable or other computing devices to IT, and not to attempt to disable, remove, or otherwise tamper with encryption software.
…And Account For Non-IT Owned Infrastructure, Too
Security has to come into play from the very personal to the most public – and by that we mean the cloud. “There really are a litany of security concerns associated with cloud computing, ranging from insecure interfaces, to untrustworthy employees to risk of search and seizure,” says Quin. “Most of these issues revolve around an enterprise’s relinquishing of control (i.e. the lack of control of how interfaces are coded, lack of control over employee screening processes, lack of control over data storage paradigms).”
Fortunately, at least one of those can be addressed with a policy measure. Policy #6 should mandate that leadership in business and IT units should use the cloud only for storage and processing of non-confidential, non-proprietary data, to use the cloud most safely. (That refers only to data that you can afford to lose, Quin explains).
To really ensure your polices are effective and enforced, educating your end users must be a priority. Train them about the risks, help them understand what threats look like (such as suspicious emails), and tell them they should keep IT in the loop when something concerns them. Says Hammerstone, “If they don’t understand why policies are in place, they tend not to follow them or to look for ways around them…. If they understand why, they tend to be more receptive,” he says. “They don’t think of it like ‘the man’ coming down on them.”
Related Information From Dell.com: Create a Network Roadmap.
