Originally Published: Monday, 30 August 1999 Author: Quentin Cregan
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Printable]

Embrace your Policies - by Edwin Covert - CISSP

Ah, technology. Isn't it neat? Look how shiny it is. All pretty and full of blinking, green and red, little lights. Technology can not be discussed in a vacuum. The topic of this paper is much more important that technology alone. This paper focuses on technology's forgotten other half: policy.

   Page 1 of 1  

Ah, technology. Isn't it neat? Look how shiny it is. All pretty and full of blinking, green and red, little lights. Technology can not be discussed in a vacuum. The topic of this paper is much more important that technology alone. This paper focuses on technology's forgotten other half: policy. Policy is much "older and wiser" than technology, but it seems to have been forgotten in many circles. The effect of not creating a policy for a system or changing a policy when a system is updated will be a security incident. It is analogous to getting a new BB gun as a child and shooting yourself in the foot because you did not pay attention to the listed safety precautions; you were too busy looking at the shiny barrel.

How do we define technology? Technology is, according to Webster's online dictionary, "the practical application of knowledge…". How does that fit into our discussion? Technology is the set of tools we use that we can manipulate and create to perform certain tasks. Those tasks could be anything from sending a piece of electronic mail to rearranging a database. What is a policy? A policy, for those of you who have forgotten, is a document or set of documents that governs how we use technology. Or, again as Webster's states: "a high-level overall plan embracing … general goals and acceptable procedures…". Simply put, a policy is the rules that govern how we use the tools given to us through technology.

Policies are often overlooked in today's high paced world. Too often, if they are created at all, they are built after the fact, usually when someone says "Hey, look at this really cool piece of technology we just got! Oh wait! Should we be considering how our users will be using this really cool piece of technology?". That is a shame. A good policy could eliminate a lot of the repetitive issues we, as a profession, deal with on a daily basis e.g. viruses, employee misuse, etc. thereby allowing us to focus our limited resources on the more important task at hand.

What is a good policy? Asking that will get you as many answers as there are people; however, a few points are common to all good security policies. They are clear, concise, relevant, made aware to users and enforceable. This last point is very important. If you can not enforce a security policy, all you have done is an eighth grade creative writing assignment. You can not have technology without a policy to govern it. Conversely, you can not have a security policy without some technological method to enforce it. They are symbiotic in their relationship. One needs the other. They play off of each other much like you would not have a quarterback in football without an offensive line and you certainly would not need those linemen if there were no quarterbacks to protect. Unfortunately, in today's world there exists a real lack of policy that meets the above five criteria. And if a policy does exists for a system, most of the time, it is written and then forgotten about. While systems change over time, rarely do the rules governing their use.

Who should create the policy? In my opinion, this task needs to include representatives from all affected groups: system administrators, security types, management and users. All need to have a say in the creation and have a chance to "buy-in" to the policy. This will reduce the problem of "user acceptance" that many of us have faced when building a policy for a system.

Just as you would never forget to call your mom on Mother's Day, policies should be reviewed and updated where necessary to meet the new paradigm shift of modern technology. At the very least they should not be forgotten about when a system comes online. Technology alone can not solve the ever-increasing security risks and events we all face today. Technology coupled with a strong and enforceable policy can go along way toward securing your system. To not consider policies important creates ever-increasing headaches, costly mistakes by users and breaches in the system itself.

Edwin Covert, CISSP, is a Network Security Consultant with Integrated Communication Solutions. He can be reached at ecovert@icscorp.com.





   Page 1 of 1