Information security policy: Answering to the board of directors

I recently had a conversation with a longtime colleague, Phyllis Schneck, vice president of eCommSecurity Inc. She is also chairman of InfraGard, a public/private partnership launched by the FBI.

The goal of InfraGard is to strengthen the security of the U.S. critical infrastructure by increasing information-sharing and cooperation between federal law enforcement officials and the private sector and reaching out to companies large and small.

Schneck has been working with the InfraGard board, the FBI, the U.S. Department of Homeland Security and other organizations to develop best practices in building relationships to improve information security programs in both public agencies or private industry.

Wearing her private-sector hat as vice president of Atlanta-based eCommSecurity and leveraging her experience in working with thousands of security professionals nationwide, Schneck's main focus is on the importance of a sound security policy based on the particular requirements of a business.

Our discussion focused on a key question raised during a recent shareholders' meeting: "Can the board of directors assure us that this organization's information security program is deployed fairly and legally in every jurisdiction in which we operate?"

1pixclear.gif
Advice
Bill Malik
1pixclear.gif

Schneck's response, which strongly echoed my own, was that it depends upon the company's information security policy. A well-implemented policy must be employee-supported and carefully monitored if it's to ensure the success of an information security program. Such a policy, she said, improves risk management while building company culture, brand loyalty and company integrity. Alternatively, the absence of such a policy puts an organization in a vulnerable position by contributing to failed security audits; loss of confidence from shareholders, investors and customers; and possible financial and legal ramifications.

Schneck was adamant in stressing that the most crucial component of an effective information security policy is obtaining and maintaining employee buy-in. Employees must truly believe in the policy and the benefits it brings to the company and to them. Achieving this support means involving employees from throughout the company in creating and implementing the policy. A solid information security policy is endorsed and driven from the chairman's table down, yet it's created from the mailroom up, fusing opinions and accountability at all levels while still preserving company culture.

Implementing a security policy: Knowing and disarming the challenges

When we discussed other challenges that can compromise the development and implementation of a successful information security policy, Schneck and I found there are three areas that warrant the most attention.

  1. Political: An information security program begins with the governance of the organization, but it must have support at all levels. The board and the executive teams define the goals and metrics associated with the program as they map to the overall vision and mission of the organization.

    In some instances, these oversight mechanisms will conflict with "renegade" business processes that have proliferated unchecked, resulting in political conflict between IT divisions and business-resource owners. For instance, a department could set up its own inexpensive Web server using Apache, Linux and a spare PC—and thereby introduce a huge security exposure. The governance mechanism must preserve the overall goals, and its authority must ultimately be paramount, but it must also allow for updates and suggestions.

  2. Technical: There are two challenges in this category. First, reconciling corporate policies with technology can be highly complicated. Second, security architectures must be flexible enough to encompass diverse systems that may not naturally fit together. For instance, wireless devices have a primitive security model compared with robust production servers. Although passwords may have to be eight alphanumeric characters long, and a server can actually check for and reject inadequate passwords, a wireless device might not have that capability. Hence the corporation would have to rely on policy supported by awareness and audits to verify that users are using passwords that are strong enough. These technological limitations shouldn't override an information security policy. Instead, they should simply be acknowledged as business as usual and compensated for in the policy.
  3. Cultural: Untrained end users can compromise the success of an information security policy and enforcement program. Training and awareness programs help everyone become familiar with the goals and metrics governing the organization's IT-based activities.

Once these challenges have been addressed and an information security policy has been implemented, a process must be established to assess the policy's effectiveness. A comprehensive audit program—one that's unforgiving and reveals exposures at all organizational levels—is the best way to police an information security policy.

Phyllis Schneck, chairman of InfraGard
1pixclear.gif
Phyllis Schneck, vice president of eCommSecurity Inc. and chairman of InfraGard
1pixclear.gif

Ensuring that your security policies work: Conduct regular audits

Schneck and I agree that security audits, which are now mandated for many organizations, require security policies to map to broader corporate mandates (such as privacy), as well as to keep critical data safe. However, the number of organizations that continue to fail audits—even after implementing a security policy—is alarming.

Most failed audits are the result of a lack of basic controls established to handle sensitive information. Organizations generally understand that some data bears risk, but they tend to underestimate the actual risk associated with the loss, alteration or inadvertent disclosure of such data and often omit some critical data from consideration. To address this problem, organizations need to know who has permission to access specific data and systems, and under what circumstances.

Security audits frequently expose the presence of obsolete user identifications that can be exploited, often maliciously, to gain legitimate access into corporate networks. It's an unnecessary and unacceptable risk for individuals who are no longer employed by an organization to have access rights to information systems. Another common audit finding is the presence of default passwords for systems or applications, an oversight that can be exploited all too easily by the most unsophisticated of users.

In Schneck's opinion, the most important part of the audit process is the follow-up. Unfortunately, this is the step that many companies omit due to time or budget constraints. Immediate follow-up on audit findings enables the organization to derive the greatest value from the audit activity, not only in risk mitigation but also in the comfort of knowing that a set of expert-identified vulnerabilities has been removed.

Schneck also reminded me that auditing should be a continuous process, to be repeated and monitored at regular intervals. Careful audit processes enable the information security policy to be more closely adhered to, resulting in a strong and reliable corporate security program. It's important to note that any audit should include a legal review as well as a technical review to ensure that the organization doesn't place itself in even greater jeopardy.

As Schneck concluded, "With a comprehensive security policy that's well developed, carefully communicated and regularly audited across the organization, you will be able to answer yes to that original question."

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon