Data Security Policies Need Focus, Execs Say

Computerworld - ORLANDO -- Focus, simplicity and enforceability are the keys to crafting corporate information security policies, according to IT managers who attended the annual InfoSec World conference here last week.

"Pick your battles," Anish Bhimani, chief information security officer at JPMorgan Chase & Co., advised other attendees during a panel discussion. He added that instead of having a laundry list of compliance items, companies need to be "crystal clear" on what their security objectives are and spell them out in a policy that workers can easily understand and that is high level enough to remain relevant for an extended period of time.

For instance, JPMorgan Chase has set a relatively short list of "must comply with" requirements that encapsulate the New York-based company's high-level data-protection goals, Bhimani said. It has also implemented a broader set of "should comply with" items that are more along the lines of best practices, he added.

"One of the things to consider is, how many controls are you asking people to comply with? Just focus on the things that matter," Bhimani said. "By definition, policies are mandatory," said Charles Pask, managing director at ITSec Associates Ltd., a consulting firm in Leicester, England. As a result, they should include only items that workers absolutely must comply with, Pask said. Specific security standards and controls should then be implemented as part of an overall risk-assessment program, he added.

Sandy Bacik, corporate security officer at Tekelec, a Morrisville, N.C.-based provider of telecommunications services, said IT security policies should mandate behavior at a high level and need to be kept separate from security standards and guidelines.

For instance, a company could have a corporate policy requiring business units to protect their information assets based on the importance of data, Bacik said. A related guideline could inform business managers about the need for strong access controls, while a standard could specify the use of a particular password approach, she said.

Bhimani recommended that companies make their security policies technology-agnostic as well. "You can't mandate the use of a specific technology in a policy," he said, adding that by doing so, you lose the flexibility needed to quickly adapt to both technology and business changes.

Information security policies "written by IT managers for IT managers" seldom work, said Tom Walsh, an independent consultant in Overland Park, Kan. It's better to craft one set of policy objectives for business users and another for the IT staff, Walsh said.

The latter should cover issues that pertain specifically to IT workers, such as data backup, configuration management and change-control procedures, he said.

Security policies also need to be easily enforceable to be effective, said Philip Maier, vice president of the information security, emerging technology and network group at Inovant Inc. , Visa International Inc.'s IT unit. Therefore, it's a good idea to vet all policies with the people who will be responsible for enforcing them, as well as with internal technology experts, Maier said.

For multinational companies, writing security policies that retain the same meaning when translated into different languages can be a challenge, Pask said.

Similarly, terms that are acceptable in the U.S can create problems elsewhere. Maier noted that Inovant had to replace references to "master" and "slave" systems after employees in Asia found those words to be objectionable.

Read more about security in Computerworld's Security Knowledge Center.