Laying Down the Law

Security policy isn't worth much unless you enforce it properly. Here are some tips on how to handle enforcement in your organization

As an analyst for the Info-Tech Research Group – the largest IT research house serving the small to mid-sized market – I have a slightly different perspective than my counterparts in other research firms. While they focus on the Fortune 1000 with long term views and strategic plans, we focus on what the smaller business needs: short term opportunities and practical, tactical advice.

As Dark Reading's newest columnist, I'll be taking that approach in my postings here as well – focusing on the "here and now," rather than on forward-looking problems. Some of my postings may seem a little basic to the security experts that regularly visit here – that's because my focus is on the folks in small and medium-sized businesses who may not have security expertise and don't know how to start.

That said, I hope the column will also be useful to the more advanced security readers who need background on unfamiliar topics or are seeking material to help train their less-savvy colleagues and end users. As a former practicing IT security consultant, project manager, and pre-sales engineer, I've been on many sides of the security problem, and I've faced many of the same challenges Dark Reading readers face every day.

I hope you enjoy and find value in this ongoing column. If you have any suggestions, requests, or comments, please don't hesitate to post a message to the board attached to this column.

Making security policy work
Today I want to talk about security policy enforcement – the process of ensuring that the enterprise's security policy is followed. It is targeted at the people and associated processes of the enterprise, not its technology. However, technology is a component of enforcement – technical controls are needed to support these processes. You can make the corporate security policy enforceable by putting both process and controls in place.

The first thing you need to know is what your end users are doing. Without awareness of employee activities, the actions required to enforce the corporate security policy cannot be taken. This awareness is primarily gained through the use of audit and logging tools.

Generic or native logging functions – such as syslog for server monitoring or Active Directory for user monitoring – provide the minimum required capabilities, but the monitoring and reporting functionality of these tools is limited.

To provide enhanced user monitoring capabilities, you need technology such as identity and access management (IAM) tools. IAM actively monitors user activity by tracking access to devices and files, recording who does what.

IAM solutions are not for everyone – they can be expensive and time-consuming, and they typically are only fully deployed by larger enterprises. However, IAM tools are the best when it comes to user activity monitoring, and the technology is becoming more common and more affordable.

You should also consider doing device monitoring through policy compliance software. Such software uses a central management console to establish policy, and a set of distributed agents to both push that policy to the enterprise components and to gather information from them. These tools allow for detailed, consolidated reporting on what is happening with the enterprise's systems.

Management processes
Once the information about user activity has been captured, it must be used – preferably by management that has the authority to enforce policy, and with the support and guidance of human resources. Enforcement must be consistent across users and departments, and, therefore, the procedures that are to be followed need to be clearly defined.

The enterprise can adopt one of two stances: Either all policy contraventions are treated equally, or offenses can be differentiated into more and less severe issues. Using at least two levels of distinction allows the enterprise some flexibility in responding to problems.

For example, some enterprises classify a contravention of the company's security policy as either a violation (minor offense) or a breach (major offense). The first violation results in a verbal warning; the second violation results in a formal, written warning. A third violation may result in immediate termination with cause. In the event of a full-blown breach, the company may reserves the right to take any course of action, including immediate termination.

Using at least two layers of differentiation allows the enterprise to eliminate any feelings that its actions are arbitrary. Seemingly arbitrary actions can undermine the effectiveness of the enforcement measures, and ultimately the policy itself.

Making these rules is relatively easy – adhering to them is much harder. But your organization must enforce policies consistently across all people and departments – otherwise they cannot be effective.


  1. Establish how the policy adherence will be enforced and communicate it. Make employees aware that actions will be tracked and that consequences exist for those that are inappropriate. A hierarchy of severity of inappropriate actions needs to be part of this communication as well, as do the specific actions that will be taken in each case.

  2. Assign responsibility for enforcing the policy. Both management and the human resources department will need to be involved in the process, but one group will need to be empowered to take action. Typically, this will be management under the directed guidance of HR. These lines of communication need to be carefully built before the first problem occurs, so that appropriate action can be swiftly and efficiently taken.

  3. Determine what aspects of policy compliance need to be tracked. Basic logging capability is inherent in many everyday tools deployed across the enterprise. If, however, the security policy is exacting and specific, these native solutions may not have sufficient functionality. The more granular the corporate requirements, the higher the need for specialized tools, such as IAM and policy compliance products.

  4. Many of the more advanced tools come with other capabilities, so choose wisely. An advanced monitoring and logging solution, whether it's an IAM or a policy compliance tool, offers security capabilities beyond just detailed logging. Given the expense associated with these solutions, pick the one with the broadest applicability to the enterprise's needs.

Enforcing security policy is a "people process" that needs to be supported by technological controls. If you want to be sure that your security policies are well-respected and uniformly enforced, you'll need both good technology and good processes.

— James Quin is a senior research analyst at Info-Tech Research Group. Special to Dark Reading.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading