“How does creating a security policy ensure the protection of the organization? What controls need to be implemented in order for the security policy to be effective? When developing the security policy, who is responsible for conducting the risk analysis of the policy? At what point of the policy development lifecycle should the risk analysis be conducted?”
A
thorough and followed security policy is the last line of defense for
an organization, as it is the rules that dictate the behavior of your
most vulnerable link, the human element. In my
experience, there is no such thing as too stringent of a method to
implement to enforce information security, and there is no one person
that is responsible for it’s implementation. Everyone from
management to IT to the janitor are responsible for a tight ship.
It’s my opinion that the IT department should draft a security
policy, then submit it to management, correct any operational
inconsistencies and inconveniences, and then back to IT for
implementation, enforced and reinforced by management, then
questioned every step of the way to the end user.
As the Network Administrator for a small civilian business (radio station) I find myself considering these problems every day.
Our first policy is simple, and requires little training, the architecture for the network, designed to allow as little damage as possible. By hardwiring our sales machines, and our more technical devices, both on separate subnets, we can ensure (but not guarantee) a minimal risk of cross contamination. But using other subnets for our business and guest wi-fi, we do the same. Furthermore, we schedule the wi-fi, closing the networks during non operational hours, preventing further risk.
Fortunately, these precautions were designed by my predecessor, a wiser man than I, and it’s merely my job to maintain and enforce these policies, but I have gone further, and installed strong privacy filters on all the web browser, even implementing flash blockers, under the philosophy that a) if there’s an inadvertant click, they are safe. b) if the click was on purpose, and they can’t access the desired internet material, they will find another way, or c) if they cannot safely access the desired information that may potentially contaminate the device, they will come to me or an authorized manager to unblock and allow access.
And in answer to the final discussion question: You can bet every time that happens, it’s the point in the policy development lifecycle that the risk analysis is conducted. Yes, it’s inconvenient, yes it can be labor intensive, or worse time intensive, but it works and now I spend more time unhiding the send button from Thunderbird than I do running ComboFix to clean an infected machine.
“Thank you that is an excellent example of a small business attempting to operate in a complex threat environment. What do you think your greatest threat is?”
As
we don’t carry any incriminating information like credit card numbers
or social security numbers, I would say our biggest threat is
human error, or a corrupted database. It’s also possible that
a disgruntled employee may attempt to log in and delete logs in an
attempt to cause a ruckus, but by cycling passwords and appreciating
our valued workers as individuals, that threat is all but entirely
mitigated.
Though there was one recent article that tightened up my rear end: (http://www.infoworld.com/article/3121338/security/seagate-nas-hack-should-scare-us-all.html)
Anything is vulnerable.. Our biggest concern is randomly being targeted by malware that could knock holes in our ship. It’s annoying, but as an administrator, we have to stay diligent in upgrading passwords, and keeping an ear to the ground to hear of the latest in attacks, in order to prevent similar attacks on our network.
“You have great security measures in place. The biggest possible threat I can see to your network possibly is introducing an authorized external device to your network, like a flash drive or external hard drive. That was an issue that we always struggled with in the military when I was in. People bringing in their own external drives and plugging them in make unauthorized digital copies of some of our work publications for studying purposes. They infected a lot of machines that way. They had to implement a program that would notify IT when an unauthorized device was plugged into a machine, and that user account would get locked out. Great Post!”
That’s a very good point that I will take under consideration. But without implementing Active Directory or some other account management system, I’m not sure I see how I would be able to enforce that.
Since our only coveted information is a bunch of bad ass music, I think the cost out weighs the risk in this particular instance.
And for what it’s worth, I’ve done PC repair and support for high schools, colleges, doctors offices, and end users for over a decade, and without discounting the very real threat of targeted malware that I’m sure runs rampant in the Military, I have yet to see a single instance of it in the wild. I am much more concerned with one of our DJs or Salespeople bringing in a virus from some dumb facebook game on their phones or laptops.