The need for good solid security policies, standards, and guidelines is fairly obvious - Without a framework in place, there can be no cohesive security in an enterprise. However, as I have mentioned before, there is the need to stay flexible and allow for changes and advancements in technology and business requirements.
http://searchsecurity.techtarget.com/feature/Information-security-policies-Distinct-from-guidelines-and-standards
That being said, the term “flexible” just begs to be abused. Just because a policy can be changed, doesn’t mean it should or needs to be changed. We need to avoid policy changes based on knee-jerk reactions, i.e., every time a news article or report appears about a large business getting hacked, I have to add three or four more characters to my password.
http://www.post-gazette.com/businessnews/2012/08/30/Password-length-is-more-beneficial-than-complexity/stories/201208300277
I feel like I’m beating this point to death, but a balance to security requirements – policies, standards, and guidelines – and user/business requirements must be achieved. How much more secure are you really when most of your users have their username and password written down and stashed under their keyboards because you have forced an overly long and complex password requirement?
Users will always try to circumvent a policy or a system that either makes their jobs more difficult or prevents them from doing things the way they have always done them, creating a security nightmare. If a poorly planned policy actually prohibits users from efficiently doing their jobs, thereby forcing them to avoid or go around the requirement, then a policy or systems review is necessary to allow normal user activity in a secure fashion.
http://infosecisland.com/blogview/14329-Security-Stupid-Is-As-Stupid-Does.html
Policies and systems need to be reviewed periodically to determine if they are still relevant, since as technology advances and changes we need to frequently adapt our security policies to fit the new needs and requirements. Technologies like biometrics and single-sign on can go a long way toward creating a more secure authentication step than a 27 character alpha numeric password with special characters. Technologies need to be put into place that will allow a secure environment with the least amount of burden on your users. If they don’t notice it, they won’t try to break it. Not all changes can be implemented invisibly, but if we try to envision proposed changes from the viewpoint of the users, we can certainly try to make them as painless as possible. In the end, we will experience less pushback from users and an overall higher level of security in our environment.
Flexibility is definitely an aspect of a good security policy, unfortunately it is commonly abused when the security managers don't understand the systems they are responsible for. Inexperienced security managers tend not to know which parts of a policy should be flexible and which parts should not. A good admin will usually be able to convince a security manager to waive requirements the admin finds a pain to properly implement.
ReplyDeleteOne example is the requirement to audit log files, depending on requirements (PCI,SOX,HiTech,STIG) admins should review the logs periodically, an admin will tell the security manager this is done by a tool, in reality the tools are almost never looked at until after the fact.