Security policy and governance

Unfortunately, too many companies believe information security can be assured by buying software or boxes, with no thought given to their implementation or business benefit. However many firewalls, intrusion detection applications and

anti-virus packages a company installs, they are worse than useless unless an enforced policy for security is also in place.

If companies operate in an environment of assumed security provided by their appliances and applications, they are more than likely exposed to risk.

Over-complex rules and regulations can also have the opposite effect. If users find the control procedures interfere with their everyday working practices, they will spend an inordinate amount of time attempting to bypass them. They will create exposure points in the process, especially if they do not understand why the rules exist to begin with.

The first step in creating an effective security policy is to perform a rigorous risk assessment on the existing system. It should test the procedures in place and highlight any inadequacies and points of failure. Assessment software such as CRAMM (www.cramm.com) can analyse your processes, applications and organisational structure, and determine which security requirements are necessary to comply with standards such as BS7799 and ISO17999, as well as the Data Protection Act.

Another method is penetration testing, a form of ethical hacking in which a test team checks the control procedures by trying to compromise the system.

In its book Beating IT Risks, PA Consulting says there are enormous benefits in looking at risk across the organisation as a whole.

There are three reasons for risk gathering: completeness, connectedness and significance.

Completeness refers to the tendency to overlook some areas of risk in favour of the most demanding issues. Connectedness means companies must consider the effects a single change, such as a software patch in one area, can have on the organisation as a whole. Significance advises that by looking at risks in a portfolio, the overall effect can be measured and controlled.

Capita’s software testing division,Mission Testing, suggests the network infrastructure is broken down into sixclasses for assessment:

• TCP/IP service identification
• Network traffic identification
• Intra-network interfaces between sub-nets
• Empirical testing on leaked traffic from the network
• Analysis of services and protocols
• Analysis of firewall rules.

After his, a full-scale review of applications should be carried out. Many companies tailor off-the-shelf software or develop their own applications, which can create pointsf exposure.

Points to consider include the possible business impact of an exposure because of failure or misuse of the application, the likelihood of such an event, and the security controls that can be put in place to minimise the impact.

Another consideration is probably the weakest security link in any firm – people.

Most of security violations are caused internally, either maliciously or by staff attempting short cuts. Security access for all personnel must be tightly controlled:

permissions should be granted as and when necessary, and revoked as soon as staff no longer need them. Empty seats – where someone has left but their access is still in place – are one of the best routes into corporate networks for hackers.

With the risk assessment performed, a full-scale security policy can be defined.

A good assessment will cover all aspects of the organisation. However, the policy cannot be written in stone and an

out-of-date policy is a risk in itself. Care must be taken to ensure it can develop as the needs of the organisation change, and provision made to introduce new legislation as it arrives.

‘Compliance adoption should not be the completion of a series of “ticks in boxes”, but a fundamental commitment to implementation,’ says John Copleston, head of legal and compliance at FirstAssist Group, which uses Secoda’s RuleSafe compliance application.

Performing a risk assessment, defining a security policy and then enforcing it and developing it is the best way to protect your network, your staff and your business.