Writing And Enforcing An Effective Employee Security Policy

  /     /     /  
Publicated : 22/11/2024   Category : security

Writing And Enforcing An Effective Employee Security Policy


Enterprises have been writing IT security policies for decades, and employees are still violating them. Here are some tips for breaking out of the rut


[Excerpted from Writing And Enforcing An Effective Employee Security Policy, a new, free report posted this week on Dark Readings
Insider Threat Tech Center
.]
Security policies are designed to communicate all the ways in which a company protects its information assets. Companies require that employees read and sign off on these policies, but they are all too often misunderstood or just ignored.
Why do companies continue to struggle with something that has been around for so long? Experts agree that policies are often confusing to the very people who are required to adhere to their tenets. Companies also often use standard compliance regulations as their security policies, leaving big holes where issues specific to their own businesses are not covered.
It is also common, say experts, for a company to write a security policy once, then never (or rarely) touch it again. This approach leaves gaping holes as new technologies and computing models come to the fore. And even if a security policy has been well-developed, companies have not proved to be very good at communication or enforcement.
The IT security policy problems companies face today nothing new -- they go way back. Theyre never as up to date as you want them to be, and theyre never as enforceable as you want them to be, says Rich Mogull, CEO of security research and analysis firm Securosis.
Today, companies are dealing with new issues, such as social media and the bring your-own-device phenomenon, but where there have been computing systems, there have been security policies. So why is policy such a tough nut to crack?
For one thing, policies often dont cover the right ground, or enough ground. Any good-sized organization will have a variety of security policies in place -- for acceptable use, remote access, data sensitivity and so on. There are policies for different things and for different user populations, Mogull says. Make sure the one you are using is the right one.
When developing security policy, the organization must determine what it wants to accomplish with that specific policy. To help de-fine objectives, it is important to:
* Include all relevant stakeholders in policy discussions. These individuals may include IT personnel, business leaders, system administrators, HR and legal representatives, auditors and even end users.
*Identify what needs to be protected and controlled.
*Identify how people and systems interact.
Regarding that last point, companies have to be careful to include all of the people who engage with their systems, not just traditional employees.
One group of stakeholders that companies tend to forget when they are developing policy is contractors, says Chris May, technical manager of the Workforce Development Team within CERT. We have gone into organizations and found that they have very good policies written for their employees -- very good HR policies, IT policies, termination policies, says May.
But the same policies do not apply to contractors. When we ask about contractors --Do you do the same background checks? Do you have the same termination policies?-- they just kind of look at us with a blank look a
lot of the time. But contractors are an insider threat -- they are inside of your organization, and they have authorized access.
In addition to knowing who is accessing their systems and data, companies need to proactively determine what they will do when they uncover negative information, says
Dawn Cappelli, technical manager, enterprise threat and vulnerability management, CERT Insider Threat Center.
The one problem that Ive seen with policies is that theyre written, but people dont really think about the consequences, says Cappelli. So, for instance, an organization might have a policy that they do background
checks on anyone that theyre going to hire, but have they thought ahead in terms of what they are going to do when they find something?
To get more details and recommendations on developing employee security policy -- and tips on how to enforce and revise it --
download the free report on writing and enforcing IT security policy
.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Writing And Enforcing An Effective Employee Security Policy