Policy enforcement in the workplace

doi:10.1016/S0167-4048(02)01006-4

Computers & Security

Volume 21, Issue 6, 1 October 2002, Pages 506-513

https://doi.org/10.1016/S0167-4048(02)01006-4 Get rights and content

Abstract

It is well known, at least among true security professionals, that formal policy is a prerequisite of security. While many organizations have security policy of varying types, having policy and being able to enforce it are totally different things. This writing looks at the importance of formal security policy, and then presents and discusses a new set of tools that provide a ready method for assuring critical policy enforcement in the workplace.

Section snippets

The need for policy

Security is not what you do, it is not what you don’t do, it is not what you allow, and it is not what you prevent. Security has nothing to do with how safe your data and systems are. Security is how well you adhere to your formal security policies. Without formal security policies, security is arbitrary, subject to the whims of those administering it.

While security should be based on policy, policy, in turn, should be based on risk analysis. The purpose of this writing is neither to prove the

Getting the word out

It is common for new employees and contractors to be given a copy of an organization’s security policy when starting with the organization. A prerequisite to the new employee or contractor starting is their signing a formal statement to the effect that they have read the policy, that they understand it, and that they will conform to it.

Technology has advanced, and is continuing to advance, at a fantastic rate. Along with the ongoing increases in speed, power, capabilities and ease of use, we

Policy enforcement and exceptions

Having policy is one thing, and enforcing it is another thing entirely. Certain possible policy elements are easy to enforce via technical means. For example, if security policy prohibited the use of instant messaging services, the IM services could be blocked at the organizational firewalls. Other policy elements involve human review. Examples of these include not leaving systems on when unattended, and not leaving passwords in plain sight. Enforcement of the first of these can be aided with

Policy in the 2000s — keeping pace with the new threats

In addition to the great and continuing increases in technical capabilities, and the vulnerabilities and exploits of the vulnerabilities that accompany these irresistible technological advances, there had been a tremendous growth in the placement and use of personal computers in both stand-alone and networked environments. Computers have come down in price almost in proportion to their increase in power. Transmission speeds are now available to many home users that only a few years ago were the

The new policy enforcers

To best understand these new products and appreciate the protections they provide, one must stand back and take another look at just what formal policy is and how it contributes to the security posture. While a given security policy document can easily contains hundreds of specific directives, a macro view of a total security policy could be “Prevent unauthorized use of organizational resources.” (Purists might want to add something like “in keeping with effective risk analysis” or some such.

The way they work

No single product with which I am familiar does every one of the operations, and has all of the options I’ll now discuss. Individually, though, they are found in one or more existing products. The newer products seemed to have learned from the earlier ones in that I’ve found them to have a fuller set of features, and to have eliminated some of the shortcomings of their predecessors. In addition, I’ve found most of the vendors to be more than willing to discuss changes or additions to their

Black and White

As stated above, early policy enforcement products dedicated themselves to protection from damages caused by Internet downloads. One product would provide its protection while the connect session that included the downloads was in process. Another would protect forever if the downloaded files stayed where and as they were, but would cease protection after 2 moves or renames. A third would protect forever, but only the first time a file got executed. (It formed a checksum, verified the checksum

Setting things up

Home users not connected to an organization’s LAN can use these policy enforcement products. Many, if not most users of this type, nominally people who dial up to connect to the Internet from time to time, are far from expert in computers, networks or security matters. Vendors often provide typical policy sets, maybe “light security,” “medium security” and “tight security” for such users to simply select and have them automatically put in place. If such users find themselves regularly violating

Forewarned is forearmed

Even if the policy enforcement software can properly prevent actions that cause damages, it is necessary to alert users of incidents which attempt to violate their policy. The attempts to violate policy may indicate that the user’s policy should be changed (because they have valid reasons for attempting those operations), or they may indicate that something is wrong somewhere on their system. Figure 2 is an example of the alert screen given when a prohibited operation is attempted.

Since

Author’s note

Over the years I’ve been called on time and again to investigate and correct problems due to blatant policy violations. This is why this class of software initially appealed to me. With the White List/Black List situation described above, it automatically keeps things like user software brought from home or school or previous employment — in violation of explicit security policy prohibiting such things — from doing damage. (Remember, Black List status is the default for anything not explicitly

Summary and conclusions

Security is based on policy. At its best, security is the perfect implementation of a formal security policy. Having formal policy and enforcing it are totally different matters. Policy must be enforced to make it effective. In an enterprise environment, the total enforcement of policy can be anywhere from expensive to impossible. A new breed of programs known as policy enforcement software is now available. Policy enforcement can now be automatic for many situations where policy breach could

References (0)

Cited by (32)

Onlooker effect and affective responses in information security violation mitigation
2021, Computers and Security
Citation Excerpt :
This shows there is still a need to better understand employees’ security-related behaviors and the factors that may impact their decision-making process with respect to information security. The use of deterrents is widely advocated by both practitioners and scholars (David, 2002; Kankanhalli et al., 2003) as a means of reducing security policy violations. However, given the continuing prevalence of information security violations in workplaces, researchers may need to uncover other ways to help organizations reduce non-malicious security violations.
The average total cost of a security violation in the United States grew to almost $8 million in 2018. Still, current employees are the top source of security incidents. Many insider threats to cybersecurity are not malicious but are intentional. Many organizations have well-delineated policies intended to guide insiders’ cybersecurity-related behaviors. However, the effectiveness of these policies is questionable. While many behavioral research projects have investigated factors that mitigate information security violations, there is still a need to better understand workplace social dynamics as a contributing factor. This study investigates the perception of being observed by onlookers as one of these factors. Using an experimental design, this study found that the perceived presence of an onlooker who presents a threat results in potential violators experiencing negative emotions (shame and guilt). Feelings of guilt reduce intentions to violate information security policy in a workplace.
State of the art in information security policy development
2020, Computers and Security
Citation Excerpt :
We must acknowledge that organizations and ISP development method designers have different notions of the areas and details of what the content is supposed to cover. An organization might have one huge document covering everything, separate hierarchically connected policies each containing hundreds of directives (David, 2002), or a high-level policy, supplemented by guidelines (Klaic, 2010; Pathari and Sonar, 2012). An example of a hierarchical policy structure is provided in the ISPA, which has strategic-, tactical-, and operational-level policies (Von Solms et al., 2011).
Despite the prevalence of research that exists under the label of “information security policies” (ISPs), there is no consensus on what an ISP means or how ISPs should be developed. This article reviews state-of-the-art ISP development by examining a diverse sample of literature on the subject. The definition and function of an ISP is studied first, revealing a rich tapestry of different notions behind the same term. When looking at the broad picture of the research on ISP development methods, we find different phases and levels of detail. Analyzing the different views on the content, context, and strategy alignment provides for further understanding on the complexity of the matter. As an outcome, we raise issues in ISP definitions and development methods that should be addressed in future research and practical applications. This review concludes that for state-of-the-art ISP development, the focus should shift more toward organization-specific information security needs, as the direction of the current research is still lacking contributions that would show how contextual factors could be successfully integrated into ISP development.
The information security policy unpacked: A critical study of the content of university policies
2009, International Journal of Information Management
Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualisation of information security embedded in the policies. There are two important conclusions to be drawn from this study: (1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and (2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management.
Information security policy: An organizational-level process model
2009, Computers and Security
Citation Excerpt :
If, for example, an employee is caught knowingly violating a policy, managerial-directed corrective action can occur. The literature emphasizes the importance of enforcement: “Policy must be enforced to make it effective” (David, 2002); without enforcement, a policy might as well not exist. The criminology theory of general deterrence emphasizes policing as a means of warding off potential abusive acts primarily through the fear of sanctions and unpleasant consequences (Parker, 1981).
To protect information systems from increasing levels of cyber threats, organizations are compelled to institute security programs. Because information security policies are a necessary foundation of organizational security programs, there exists a need for scholarly contributions in this important area. Using a methodology involving qualitative techniques, we develop an information security policy process model based on responses from a sample of certified information security professionals. As the primary contribution of this research study, the proposed model illustrates a general yet comprehensive policy process in a distinctive form not found in existing professional standards or academic publications. This study's model goes beyond the models illustrated in the literature by depicting a larger organizational context that includes key external and internal influences that can materially impact organizational processes. The model that evolved from the data in this research reflects the recommended practices of our sample of certified professionals, thus providing a practical representation of an information security policy process for modern organizations. Before offering our concluding comments, we compare the results of the study with the literature in both theory and practice and also discuss limitations of the study. To the benefit of the practitioner and research communities alike, the model in this study offers a step forward, as well as an opportunity for making further advancements in the increasingly critical area of information security policy.
Aligning the information security policy with the strategic information systems plan
2006, Computers and Security
Citation Excerpt :
There is a growing consensus both within the academic and practitioner communities that the information security policy is the basis for the dissemination and enforcement of sound security practices, within the organisational context (e.g. Baskerville and Siponen, 2002; Doherty and Fulford, 2005). As David (2002) notes: ‘it is well known, at least among true security professionals, that formal policy is a prerequisite of security’. Similarly, Lindup (1995) asserts:
Two of the most important documents for ensuring the effective deployment of information systems and technologies within the modern business enterprise are the strategic information systems plan (SISP) and the information security policy. The strategic information systems plan ensures that new systems and technologies are deployed in a way that will support an organisation's strategic goals whilst the information security policy provides a framework to ensure that systems are developed and operated in a secure manner. To date, the literature with regard to the formulation of the information security policy has tended to ignore its important relationship with the strategic information systems plan, and vice versa. In this paper we argue that these two important policy documents should be explicitly and carefully aligned to ensure that the outcomes of strategically important information system initiatives are not compromised by problems with their security.
A Theoretical Foundation for Explaining and Predicting the Effectiveness of a Bring Your Own Device Program in Organizations
2022, SN Computer Science

View all citing articles on Scopus

View full text