[ISN] Firms failing to balance security policy, enforcement

From: InfoSec News (alerts@private)
Date: Tue Aug 29 2006 - 22:52:21 PDT


http://www.zdnet.com.au/news/security/soa/Firms_failing_to_balance_security_policy_enforcement/0,2000061744,39268050,00.htm

By Munir Kotadia
ZDNet Australia
30 August 2006

Australian firms are having trouble creating and then enforcing a good
security policy, which means employees end up frustrated because their
movements are shackled or their actions cause unwanted information
leakage.

A security policy should adequately reflect the risks and requirements
of a particular organisation. If the policy is too strict it may
hinder employee productivity and if it is too weak, it could open the
organisation to vulnerabilities and information loss or theft.

In a recent survey of Australian enterprises, 83 percent said they
were worried about exposing their customer's records and 72 percent
said losing financial data was a serious concern. However, the
majority of respondents admitted that they rely on their employees to
enforce the security policy.

Samia Rauf, director of worldwide corporate communications for
document management specialists Workshare, which commissioned the
study, said that one of the biggest mistakes made by enterprises is
not finding a suitable balance between creating and enforcing a
security policy.

"There is a fine line between governance and productivity," Rauf told
ZDNet Australia. "Yes you must have a policy.… However, you have got
to be continually educating [users] and if you don't educate them then
you are going to start putting controls in place that are so
militarian [sic] that it affects the productivity of your workers."

"You can focus on productivity and lose control [of security]," said
Rauf.

Jo Stewart-Rattray, director of information security at Vectra
Corporation, said she had seen some very well written policies that
were effectively useless because so few people in the organisation
actually knew they existed.

"It is true that a lot of people don't enforce policies…. You can have
the very best policy in the world but unless it is disseminated across
the whole organisation it serves little purpose," she said.

Stewart-Rattray cited an example where a company she knows wasted a
lot of time creating a "good" security policy: "It was one of the best
written policies I have ever seen … but once I got out of IS and IT,
no-one knew about it."

According to Rauf, tools can be used to help enforce a security policy
and educate users by issuing alerts when the policy is about to be
broken.

"You can block information from being uploaded onto the Internet. A
lot of things get stolen over Hotmail and Yahoo -- people send their
CVs out all the time. You can block or alert when that is happening.

"It will allow [users] to do the right thing by being alerted when
they are about to breach policy. People are then constantly being
educated," said Rauf.

However, Vectra's Stewart-Rattray warned companies not to completely
rely on automated tools: "There are some things that logical tools
can't actually enforce -- and often it still relies on a human audit
to see if current practice meets policy."



_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 29 2006 - 23:06:21 PDT