There are 3 "tiers" of corporations out there with respect to policy as it relates to IT Security, in my humble opinion. They are as follows
- Anarchy (30%): A complete disarray. These types of companies may have a policy or two but they are likely incoherent, poorly distributed, and broadly ignored. These are companies that grow too quickly, disregard their IT departments, and abuse their technologies - these folks have two options - move up a tier or brace for disaster. One of the two will happen.
- Law (60%): This tier is where, I hope, most companies find themselves. You have policies, they may even be well-written, well-defined, cover all your base risks, and are distributed well amongst your population of employees and relevant users. Your problem is that you can't enforce these policies.
- Order (10%): If you find yourself in this tier, consider yourself very lucky. Companies in this tier not only are well documented and distributed on their policies, but someone actually enforces them. The difference between having something and having something that's enforecable is here at this tier. This is a very select population of companies, and you'd be surprised to know it's rare to find them in the "enterprise" class of companies.
My point - the buzz-word in the IT Security world as it relates to upper management has been policy in the last several years. Yes we all have these "cool" technologies we implement and some of us even draft up acceptable use documentation and guidelines; some of us call these policies and put them in bound and glossy folders and give them away to our users. That's all well and good but what happens when someone challenges your policy? What happens when your policy says that non-company assets are not allowed to be plugged into your network; but a middle-manager has an army of consultants which come in and insist on plugging in their laptops to do whatever it is they were commissioned to do? Ask yourself this question and the oft-given answer is -- the need to conduct business will win ever time and the policy will be ignored (at least temporarily) So what is the point of the policy? Remember, that one 'exception' will quickly become the accepted standard as general users watch the policy be subverted. So regardless of what your policy says, a few weeks later everyone is having random visitors plugging in their laptops into your network. What went wrong?
I would argue that the problem was not with your policy, but with the "teeth" behind it. What should have happened, was that rather than simply saying "you've being over-ridden in the name of business" the manager wanting to subvert policy should have needed to escalate the matter. The matter should have reached the CISO, or maybe even the CIO - and that's where you should have had your backing. The CIO should have heard the argument, and made an assessment as follows:
- The policy exists for a reason and it's the accepted standard (law) in the company and cannot be subverted
- An alternative is to provide the consultants with resources to use for the time they are on your network -OR-
- The consultants should have their machines somehow vetted by the security team, and an ammendment is made to the policy to provision for this type of requirement going forward
What would your CIO do if faced with this situation? Do your policies have teeth? I will offer you (from my experience) one method of giving your policies teeth. I will dispense my formula to you, which you can use at your own will - I make no guarantees this will work for you, but will tell you that it's worked for me in the past.
- Never develop a policy in a vacuum; consider business requirements and non-IT factors (such as the consultant example above) that may complicate your execution of the policy you're writing
- Write a policy that's straightforward - the shorter the better honestly. Number your sections, lay it out logically, and proof-read it for logic problems and contradictions.
- Give it to your grandmother, wife, or anyone that doesn't work in IT. Ask them if they understand it, and what challenges to productivity they can find in it (trust me on this one... this is a gem)
- Give it to your marketing or communications team. If you don't have one of these, find a PR firm, pay a small fee and have your policy "polished" for user-friendliness and effectiveness.
- Receive approvals in steps -start with local managers, and work your way up to the CIO. When you reach your CIO's office, you can show how you've done your homework and that people below the CIO agree with your policy, that it's user-friendly, and that you "understand the business needs" while trying to enforce security policy
- Ask for the ability to enforce the rules you've set forth. Have a conversaion with your CIO, and this is a tough one, about how policies will be enforced. Ask what penalties there will be, and what actions will be taken on escalations, etc. Do not let this go.
- Market the policy to your users. Make it fun for people to read/understand what the policy is... have a contest to see who can answer the most questions correctly on a quiz which roots its answers in the policy. Offer some trinket or chachkie to your users who do the best job -- incent your users to read your policy.
- When a chance comes up to enforce the policy, always play the understandig role first and foremost. Never give the answer "well you can't do it, period, because the policy says so" - you'll lose the escalation to the CIO, almost guaranteed. Try to understand the need, offer suggestions, and document this for further escalation or compromise.
- When you need to, pull out the big bat, and make sure you pick your battles wisely. Don't squabble and run to your CIO with every little violation - try and handle your own playground. Yuo don't always want to run to mommy every time your pride is hurt.
- Overall, enforce policy consistently, fairly, and with a gentle ear and a firm hand.
Good luck out there.