Security policies are designed to communicate all the ways in which a company protects its information assets. Companies require that employees read and sign off on these policies, but they are all too often misunderstood or just ignored.
Why do companies continue to struggle with something that has been around for so long? Experts agree that policies are often confusing to the very people who are required to adhere to their tenets. Companies also often use standard compliance regulations as their security policies, leaving big holes where issues specific to their own businesses are not covered.
It is also common, say experts, for a company to write a security policy once, then never (or rarely) touch it again. This approach leaves gaping holes as new technologies and computing models come to the fore. And even if a security policy has been well-developed, companies have not proved to be very good at communication or enforcement.
The IT security policy problems companies face today nothing new -- they go way back. "They're never as up to date as you want them to be, and they're never as enforceable as you want them to be," says Rich Mogull, CEO of security research and analysis firm Securosis.
Today, companies are dealing with new issues, such as social media and the bring your-own-device phenomenon, but where there have been computing systems, there have been security policies. So why is policy such a tough nut to crack?
For one thing, policies often don't cover the right ground, or enough ground. Any good-sized organization will have a variety of security policies in place -- for acceptable use, remote access, data sensitivity and so on. "There are policies for different things and for different user populations," Mogull says. "Make sure the one you are using is the right one."
When developing security policy, the organization must determine what it wants to accomplish with that specific policy. To help de-fine objectives, it is important to:
* Include all relevant stakeholders in policy discussions. These individuals may include IT personnel, business leaders, system administrators, HR and legal representatives, auditors and even end users.
*Identify what needs to be protected and controlled.
*Identify how people and systems interact.
Regarding that last point, companies have to be careful to include all of the people who engage with their systems, not just traditional employees.
One group of stakeholders that companies tend to forget when they are developing policy is contractors, says Chris May, technical manager of the Workforce Development Team within CERT. "We have gone into organizations and found that they have very good policies written for their employees -- very good HR policies, IT policies, termination policies," says May.
"But the same policies do not apply to contractors. When we ask about contractors --'Do you do the same background checks? Do you have the same termination policies?'-- they just kind of look at us with a blank look a
lot of the time. But contractors are an insider threat -- they are inside of your organization, and they have authorized access."
In addition to knowing who is accessing their systems and data, companies need to proactively determine what they will do when they uncover negative information, says
Dawn Cappelli, technical manager, enterprise threat and vulnerability management, CERT Insider Threat Center.
"The one problem that I've seen with policies is that they're written, but people don't really think about the consequences," says Cappelli. "So, for instance, an organization might have a policy that they do background
checks on anyone that they're going to hire, but have they thought ahead in terms of what they are going to do when they find something?"
To get more details and recommendations on developing employee security policy -- and tips on how to enforce and revise it -- download the free report on writing and enforcing IT security policy.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.