Laying Down the Law

As an analyst for the Info-Tech Research Group – the largest IT research house serving the small to mid-sized market – I have a slightly different perspective than my counterparts in other research firms. While they focus on the Fortune 1000 with long term views and strategic plans, we focus on what the smaller business needs: short term opportunities and practical, tactical advice.

As Dark Reading's newest columnist, I'll be taking that approach in my postings here as well – focusing on the "here and now," rather than on forward-looking problems. Some of my postings may seem a little basic to the security experts that regularly visit here – that's because my focus is on the folks in small and medium-sized businesses who may not have security expertise and don't know how to start.

That said, I hope the column will also be useful to the more advanced security readers who need background on unfamiliar topics or are seeking material to help train their less-savvy colleagues and end users. As a former practicing IT security consultant, project manager, and pre-sales engineer, I've been on many sides of the security problem, and I've faced many of the same challenges Dark Reading readers face every day.

I hope you enjoy and find value in this ongoing column. If you have any suggestions, requests, or comments, please don't hesitate to post a message to the board attached to this column.

Making security policy work
Today I want to talk about security policy enforcement – the process of ensuring that the enterprise's security policy is followed. It is targeted at the people and associated processes of the enterprise, not its technology. However, technology is a component of enforcement – technical controls are needed to support these processes. You can make the corporate security policy enforceable by putting both process and controls in place.

The first thing you need to know is what your end users are doing. Without awareness of employee activities, the actions required to enforce the corporate security policy cannot be taken. This awareness is primarily gained through the use of audit and logging tools.

Generic or native logging functions – such as syslog for server monitoring or Active Directory for user monitoring – provide the minimum required capabilities, but the monitoring and reporting functionality of these tools is limited.

To provide enhanced user monitoring capabilities, you need technology such as identity and access management (IAM) tools. IAM actively monitors user activity by tracking access to devices and files, recording who does what.

IAM solutions are not for everyone – they can be expensive and time-consuming, and they typically are only fully deployed by larger enterprises. However, IAM tools are the best when it comes to user activity monitoring, and the technology is becoming more common and more affordable.

You should also consider doing device monitoring through policy compliance software. Such software uses a central management console to establish policy, and a set of distributed agents to both push that policy to the enterprise components and to gather information from them. These tools allow for detailed, consolidated reporting on what is happening with the enterprise's systems.

Management processes
Once the information about user activity has been captured, it must be used – preferably by management that has the authority to enforce policy, and with the support and guidance of human resources. Enforcement must be consistent across users and departments, and, therefore, the procedures that are to be followed need to be clearly defined.

The enterprise can adopt one of two stances: Either all policy contraventions are treated equally, or offenses can be differentiated into more and less severe issues. Using at least two levels of distinction allows the enterprise some flexibility in responding to problems.

For example, some enterprises classify a contravention of the company's security policy as either a violation (minor offense) or a breach (major offense). The first violation results in a verbal warning; the second violation results in a formal, written warning. A third violation may result in immediate termination with cause. In the event of a full-blown breach, the company may reserves the right to take any course of action, including immediate termination.

Using at least two layers of differentiation allows the enterprise to eliminate any feelings that its actions are arbitrary. Seemingly arbitrary actions can undermine the effectiveness of the enforcement measures, and ultimately the policy itself.

Making these rules is relatively easy – adhering to them is much harder. But your organization must enforce policies consistently across all people and departments – otherwise they cannot be effective.

Recommendations

Enforcing security policy is a "people process" that needs to be supported by technological controls. If you want to be sure that your security policies are well-respected and uniformly enforced, you'll need both good technology and good processes.

— James Quin is a senior research analyst at Info-Tech Research Group. Special to Dark Reading.