In the world today, through the news reports of the many breaches that have happened, the conversations about security always lead back to policies. The almighty security policy, the statement of protection and action companies use as the fall back to protect themselves and shift accountability and blame to someone else who ‘violated’ the policy. Information security policies are almost like elementary school field trip permission slips, if a kid falls off the cliff the permission slip signed by the parent absolves the school from blame (that’s the thinking anyway). The next time you reach about a breach, soon or later, there will be a statement or news report on an existing policy that was or was not followed… completely ignoring the primary focus point of the company’s ability to govern and enforce said policies.
Just because it is written does not mean your job as an Information Security manager ends. Thinking you can trust, assume, rely on employees, contractors, managers and other resources that have access to read, understand and fully follow the policies is setting up failure. Yet, when breaches happen, the policies are used as the safety nest and everyone accept that answer.
There’s more at stake than one individual’s inability or unwillingness to follow a policy published by your security department. Potentially millions of people’s identities could be hanging in the balance of staying private or becoming the next sale point in the black market. Because Jane from accounting socializes with the boss’ wife and doesn’t want to be inconvenienced with a new security process it’s OK to risk that.
It’s just as critical to have your governance and response plans in place for policy violations along side your policies. The primary rule is Never write a policy you are unable to or unwilling to enforce. But it happens all the time and in most companies I have been in and worked directly for have the second major security sin in place to accommodate ‘special cases’ — the exception process. The spine cringing process and golden ticket excuse to not do something, ‘Since I don’t like it and I know the CEO, I’ll just get an exception and it will be fine. I don’t have to follow this.’
The problem with most exception processes is they are not exception as they are intended to be. Getting an exception first and foremost should be a temporary stop gap because something had to happen where the security gap could not have been closed in time. Exceptions should also be a one time deal, no longer than 6 months in duration (12 months seems to be standard), and exceptions will not be issued without a full detailed plan to get out of the exception. Rather the practice is I get an exception, I’ll deal with it later, time passes, I get an extension for the extension and the cycle continues until the app has a major uplift or is sunsetted. What’s the purpose of the policies and exceptions in this case?
One step farther, most places are not reviewing or even conducting risk reviews to put pressure to close those exceptions. They slide under the radar and turn into the cliché of exceptions are the norm. Security programs that allow this to happen are failures.
Then we come to the individual contributors, employees, resources or whatever HR term you want to call them. These are the people that bring you down, the ones with the access but not the security training as you do. You can have a policy that says to not browse social networks but how many actually follow it? 80%? 90%? That’s good but not great.
I was at a conference with a CISO of one of America’s largest banks an he was asked why his security team was so large, he was pushing 200 security focused team members. His reply I will never forget because in my experience since then, has been dead accurate. He said that in any organization 1% of your employees are the ones you need to be scared of. With an employee base of 250,000 employees that put his internal high risk employees at 2,500. Add on the rest of the work and 200 security folks is justified. He went on to explain that the 1% was phishing victims, bad downloads, abuse, fraud, neglect, naivety, poor employee, criminal intent, etc… It wasn’t 1% are hackers, just 1% are high risk to cause security issues.
That loops back to the policies and what to do with your 1%. The answer is simple but many are unwilling or afraid to actually do it. Tie policy compliance to employment status. Everything is measured, metrics recorded, usernames logged, websites visited tracked, bandwidth used, files accessed, records viewed, doors entered, hallways walked down, emails sent. This is why we have this push to record everything and alert. This is why having a SIEM (Security Information Event Management) system in your environment is vital. To watch and react.
So when you have an employee repeatedly visit websites they are not supposed to, access files or rooms they shouldn’t at the times they do, suck bandwidth by playing games, pulling down 1,000 sensitive records with no business purpose, you need to act on that. Those are violations of your policy and this is where your governance and response plans need to be enacted. This is not bad cop, big brother actions as some I speak to think it is. This is about protecting the business, the data, and the customers/partners as everyone expects you to do.
From personal experience as a Information Security leader I can assure you it doesn’t take more than two HR involvements to increase policy conformity. My partnership with HR, working with them to get them to understand that an employee’s compliance to security policies is just as important as HR’s Code of Conduct. If you hit a co-worker in anger, steal or vandalize you are fired on the spot and no one bats an eye that this is a ‘big brother’ action. However when an employee abuses their access and looks up client records when they have no business to the same rules do not apply… unless the response plans are owned by HR and they respond to Information Security’s governance reports. Then you have success.
This is the dirty side of security, it happens and if you have not had to deal with it just wait because you will eventually. There will be a time when you will be faced with the ugliness of human nature and have to get your hands dirty. Reducing the potential of those situations can be handled by enforcing violations as they occur.
As one leader said to me (I’m paraphrasing”) – ‘Why give them a sticker for completing a security course? They should be happy they can keep their job.’
You leave the door open to the bank vault and you’re fired, leave a backdoor with all the access open in a digital system… meh, he didn’t follow the policy, oh well…
Don’t be afraid to do what is necessary or don’t complain when the inevitable happens to your systems either through mistake or malice.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.