Policy enforcement in the workplace
Section snippets
The need for policy
Security is not what you do, it is not what you don’t do, it is not what you allow, and it is not what you prevent. Security has nothing to do with how safe your data and systems are. Security is how well you adhere to your formal security policies. Without formal security policies, security is arbitrary, subject to the whims of those administering it.
While security should be based on policy, policy, in turn, should be based on risk analysis. The purpose of this writing is neither to prove the
Getting the word out
It is common for new employees and contractors to be given a copy of an organization’s security policy when starting with the organization. A prerequisite to the new employee or contractor starting is their signing a formal statement to the effect that they have read the policy, that they understand it, and that they will conform to it.
Technology has advanced, and is continuing to advance, at a fantastic rate. Along with the ongoing increases in speed, power, capabilities and ease of use, we
Policy enforcement and exceptions
Having policy is one thing, and enforcing it is another thing entirely. Certain possible policy elements are easy to enforce via technical means. For example, if security policy prohibited the use of instant messaging services, the IM services could be blocked at the organizational firewalls. Other policy elements involve human review. Examples of these include not leaving systems on when unattended, and not leaving passwords in plain sight. Enforcement of the first of these can be aided with
Policy in the 2000s — keeping pace with the new threats
In addition to the great and continuing increases in technical capabilities, and the vulnerabilities and exploits of the vulnerabilities that accompany these irresistible technological advances, there had been a tremendous growth in the placement and use of personal computers in both stand-alone and networked environments. Computers have come down in price almost in proportion to their increase in power. Transmission speeds are now available to many home users that only a few years ago were the
The new policy enforcers
To best understand these new products and appreciate the protections they provide, one must stand back and take another look at just what formal policy is and how it contributes to the security posture. While a given security policy document can easily contains hundreds of specific directives, a macro view of a total security policy could be “Prevent unauthorized use of organizational resources.” (Purists might want to add something like “in keeping with effective risk analysis” or some such.
The way they work
No single product with which I am familiar does every one of the operations, and has all of the options I’ll now discuss. Individually, though, they are found in one or more existing products. The newer products seemed to have learned from the earlier ones in that I’ve found them to have a fuller set of features, and to have eliminated some of the shortcomings of their predecessors. In addition, I’ve found most of the vendors to be more than willing to discuss changes or additions to their
Black and White
As stated above, early policy enforcement products dedicated themselves to protection from damages caused by Internet downloads. One product would provide its protection while the connect session that included the downloads was in process. Another would protect forever if the downloaded files stayed where and as they were, but would cease protection after 2 moves or renames. A third would protect forever, but only the first time a file got executed. (It formed a checksum, verified the checksum
Setting things up
Home users not connected to an organization’s LAN can use these policy enforcement products. Many, if not most users of this type, nominally people who dial up to connect to the Internet from time to time, are far from expert in computers, networks or security matters. Vendors often provide typical policy sets, maybe “light security,” “medium security” and “tight security” for such users to simply select and have them automatically put in place. If such users find themselves regularly violating
Forewarned is forearmed
Even if the policy enforcement software can properly prevent actions that cause damages, it is necessary to alert users of incidents which attempt to violate their policy. The attempts to violate policy may indicate that the user’s policy should be changed (because they have valid reasons for attempting those operations), or they may indicate that something is wrong somewhere on their system. Figure 2 is an example of the alert screen given when a prohibited operation is attempted.
Since
Author’s note
Over the years I’ve been called on time and again to investigate and correct problems due to blatant policy violations. This is why this class of software initially appealed to me. With the White List/Black List situation described above, it automatically keeps things like user software brought from home or school or previous employment — in violation of explicit security policy prohibiting such things — from doing damage. (Remember, Black List status is the default for anything not explicitly
Summary and conclusions
Security is based on policy. At its best, security is the perfect implementation of a formal security policy. Having formal policy and enforcing it are totally different matters. Policy must be enforced to make it effective. In an enterprise environment, the total enforcement of policy can be anywhere from expensive to impossible. A new breed of programs known as policy enforcement software is now available. Policy enforcement can now be automatic for many situations where policy breach could
References (0)
Cited by (32)
Onlooker effect and affective responses in information security violation mitigation
2021, Computers and SecurityCitation Excerpt :This shows there is still a need to better understand employees’ security-related behaviors and the factors that may impact their decision-making process with respect to information security. The use of deterrents is widely advocated by both practitioners and scholars (David, 2002; Kankanhalli et al., 2003) as a means of reducing security policy violations. However, given the continuing prevalence of information security violations in workplaces, researchers may need to uncover other ways to help organizations reduce non-malicious security violations.
State of the art in information security policy development
2020, Computers and SecurityCitation Excerpt :We must acknowledge that organizations and ISP development method designers have different notions of the areas and details of what the content is supposed to cover. An organization might have one huge document covering everything, separate hierarchically connected policies each containing hundreds of directives (David, 2002), or a high-level policy, supplemented by guidelines (Klaic, 2010; Pathari and Sonar, 2012). An example of a hierarchical policy structure is provided in the ISPA, which has strategic-, tactical-, and operational-level policies (Von Solms et al., 2011).
The information security policy unpacked: A critical study of the content of university policies
2009, International Journal of Information ManagementInformation security policy: An organizational-level process model
2009, Computers and SecurityCitation Excerpt :If, for example, an employee is caught knowingly violating a policy, managerial-directed corrective action can occur. The literature emphasizes the importance of enforcement: “Policy must be enforced to make it effective” (David, 2002); without enforcement, a policy might as well not exist. The criminology theory of general deterrence emphasizes policing as a means of warding off potential abusive acts primarily through the fear of sanctions and unpleasant consequences (Parker, 1981).
Aligning the information security policy with the strategic information systems plan
2006, Computers and SecurityCitation Excerpt :There is a growing consensus both within the academic and practitioner communities that the information security policy is the basis for the dissemination and enforcement of sound security practices, within the organisational context (e.g. Baskerville and Siponen, 2002; Doherty and Fulford, 2005). As David (2002) notes: ‘it is well known, at least among true security professionals, that formal policy is a prerequisite of security’. Similarly, Lindup (1995) asserts: