By Sue Poremba
If you needed a reason to institute an information security policy, consider this statistic from a Ponemon Institute study from late 2014: 43 percent of businesses dealt with a data breach at some point in the previous twelve months.
True, a security policy won’t prevent a data breach or other cyber security incident. But having an "InfoSec" policy will help ensure that employees better understand their role in preventing (or causing) a data breach, and make certain there is a plan in place in case the worst happens. In this climate of what seems like a constant barrage of information security threats, not having some sort of policy is foolhardy.
And if you do have a policy, there is always room for improvement. Your policy should be a fluid document, one that is regularly evolving to keep up with the ever-changing information security environment.
So whether you have a policy that needs to be reviewed or you need to develop a policy from scratch, there are a few basic points that should be considered to improve the information security policy you have relied on in the past.
Simplify and automate
“The two words that can best guide improvement of any organization's information security policy are ‘simplify’ and 'automate,'” said Kevin Epstein, Vice President, Advanced Security & Governance with Proofpoint.
Simplify means reducing the policy to a single page, with understandable instructions. “Complexity is the enemy of security; binders on which data should be encrypted, for example, may satisfy a policy audit but, practically speaking, won't improve security,” Epstein explained.
Automation enables simplicity. For example, Epstein said, when users can click 'send' in email and have a central policy engine decide if the email needs encryption or violates policy, security is less circumvented, more consistent, and thus better.
Be realistic
Another consideration when taking steps to improve information security is the widening disconnect between the world that exists in the minds of the policy writers and the actual day-to-day operation world, particularly when BYOD (bring your own device) or cloud computing is involved.
“Over and over, I've seen organizations build policies and procedures that assume a far, far lower use of cloud services than what really exists in their organization -- often wrong by orders of magnitude,” said Geoff Webb, senior director of solution strategy at NetIQ. “It's a recipe for disaster, because it means that the policy can't be applied because it is irrelevant or, worse, that it is actively ignored, further undermining the role of the security, risk and compliance teams.”
Look to internal threats
Webb also pointed out that organizations too often build security policies that are focused on the wrong things – especially the risks associated with external attackers. “Policies today must reflect the fact that attackers are so very often already inside organizations,” Webb said. “No policy about which applications can be installed on your phone or how often you should change your corporate password will protect the business against a determined insider with the access rights to do damage.”
Policies and procedures, then, must be written to reflect the brutal truth that many businesses are incapable of protecting themselves against their own employees, and that those employees represent the single biggest threat to sensitive data and systems, Webb added.
It doesn’t matter how good your information security policy is if it isn’t being used. The 2015 State of the Endpoint study conducted by Ponemon Institute found that three-quarters of IT professionals believe employees who aren’t following security policies are the company’s biggest threat, but at the same time, it is questionable whether or not employees are actually getting the training they need to better understand the policy.
“This may sound crazy given the number of breaches we face in the news,” said Webb, “but the fact is that too many organizations see the process of writing policy as the end result, and it's not. Policies need to reflect the reality of how people work, and need to be presented in a way that makes that relevance clear if we expect them to have any chance to being followed.”
In the end, security policies will only be effective when they are written clearly and recognize that enterprise today involves a highly mobile, highly distributed workforce. “The world of information security has changed so completely that any policy written more than two years ago is almost certainly irrelevant,” Webb pointed out, and any policy written today will likely have a very short shelf life. Taking steps to improve information security policy is a necessity, not a luxury, in today’s threat environment.
Additional Reading:
1. Kahua Turns To Sungard AS For Security And Availability Best Practices
2. The #1 Thing In Their Information Security Programs That IT Managers Would Change
3. Does Your Information Security Program Depend On Gut Reactions?
