15 May 2008
What is security? It has to be practical. Many organisations have risk management policies which read like War and Peace and one that I came across recently was more than 100 pages long.
I gave it to a student to read and he told me he didn’t know if it was a policy, a standard or a guide, and he didn’t understand anything in the document itself. There was at least a written policy, but it was over-complicated and did not deliver proactive security.
A lot of organisations have standards in place but the question is: Do they follow the standards? And does anybody really care?
A two-page security policy can capture the user requirement. They should not have to understand every detail about the organisation. The security policy should be there to assist the business to deliver its mission it should not be used to hit people over the heads when things go wrong.
Credit report supplier Experian is
an example of an organisation that is very aware of its profile in the market,
and it went to extra exceptional lengths to deliver security.
One of the challenges Experian had was to seek certification under the
ISO
17799 standard, so that the business delivered good, sound, security
practice. The certification was put in place and paid dividends.
Many organisations may not consider security enough when building new
systems. When deploying operating systems, applications or any other part of
your infrastructure, it is important to consider how security can be best
enabled.
An example is free file encryption, which came with Windows 2000 onward. People who have lost laptops often say they couldn’t afford encryption, but, in fact, they usually already own it. Encryption is not infallible, but it does heighten the security barrier.
One of the major concerns that many organisations have today is the amount of devices that users bring to work USB devices, iPods and so on.
Each and every connection in the corporate environment poses risk. If blocking technology is deployed to cope with this, the number of devices often shown to be connected to the network is very scary. It shows a lack of controls if full use of adequate technical security to monitor usability is not made.
This is not about a user coming in to attack the system; it is users who do what they can because they can do it.
A security policy is written for 99.9 per cent of users, but the clever user who is really there to attack a system is the one who knows about the policy and has read it thoroughly.
Some users will always abuse their rights, they will pose consistent and constant challenges.
John Walker is chairman of the
Information Systems Security
Association UK
expert technology panel. This article is taken from a transcript of Walker’s
presentation in a
Computing
web seminar “Managing risk: The challenges for companies”.
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
