Computerworld - I've always tried to be reasonable in my approach to security policies. After all, unreasonable ones will just be ignored or bypassed, actually reducing security.
Of course, "reasonable" is a matter of context. What works for a community college may not be the right approach for a bank or the Pentagon.
Now, I'm finding that being reasonable can also be beneficial in our efforts to cut costs. For example, when I wrote our remote access policy several years ago, I didn't specify a particular technology. Instead, I stated that remote access to our company must employ two-factor authentication, strong encryption (which I defined as a minimum of 128 bits) and the rule of least privilege, meaning a mailroom clerk shouldn't have the same type of access as a network engineer.
At Issue: Every department is under orders to find ways to cut costs.
Action Plan: Encourage creative thinking, listen to others' ideas, and think outside the box.
That policy gave rise to our use of a Nortel VPN concentrator, for a client (IPsec) VPN, and Juniper for the SSL VPN. We've had no problems, but the recent pressure to cut costs has led to some creative thinking by one of our network engineers, who noted that our Cisco router code can support various forms of VPNs. By using the Cisco Internetworking Operating System (IOS) for a dynamic, multipoint VPN, we could eliminate the need to maintain the small Juniper firewalls that we use for point-to-point VPNs within the company.
We could create an IPsec VPN tunnel between two Cisco routers on an as-needed basis, since tunnels can be created on demand between various points within our WAN. Even better, the Cisco IOS can facilitate both IPsec VPNs and SSL VPNs. It's all quite reasonable.
For an additional cost, the Cisco IOS also has an admissions control feature for ensuring that employees gaining remote access to our network are using properly secured equipment. We could lock out client machines that aren't up to date with patches and antivirus software.
I've brought my own creative thinking to bear on another costly process. For the past couple of years, our IT department has been retaining the hard drives of every departing employee as a way of meeting a mandate to keep all data intact. (My company has been involved in a stock-option-grant investigation.) What's more, we've been setting aside corrupted hard drives instead of rebuilding them.
With some 7,000 employees, we've had to retain 50 to 60 drives per month, at a cost of about $12,000 per month. It's costing us a lot of money because we haven't been able to supply our new employees with wiped hard drives.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
