Bridging the Human Gap in Security

CIOs must balance the human element with the realities of IT security. Setting security policies that are overly permissive will likely lead to vulnerabilities and corruption. For instance, a password policy that has a four-character minimum length and doesn't have to be alphanumeric opens the door for outside intrusion.

But the opposite is also problematic. If workers are required to set very complex passwords and change them every 15 to 30 days, they will do what humans in the modern world must do: Write their passwords down and tape it to their computer screen.

To bridge this gap, IT departments must initiate, document and maintain dialogue with every department in the enterprise to find out what works best and what doesn't work at all.

"In good policy creation, we see there should be dialogue with the policy creator and the rest of the company," says Indy Chakrabarti, manager of product marketing at security firm Symantec. "And that dialogue must be iterative because rarely does a policy work for every single worker in a company."

To take an example from its own firm, Chakrabarti says that the company has an anti-virus research team that does not run anti-virus software on its computers, in order to identify and study viruses. To build this exception into the security policy, the IT team needed to communicate with that team in order to understand the reasons for the exemption, a mitigation control that needs to be put into place, and also to identify which machines must be exempted. This exception then needs to be validated by the policy administrator until the next review date.

"That's the iterative dialogue that you need to have," says Chakrabarti.

Of course, such dialogue is not always easy, particularly in large enterprises that have hundreds of workers, or where workers are scattered in various locations. Symantec tackles this problem with a web-based interface product that can conduct and capture such dialogue.

CIOs must remember that it's a near impossibility to set and enforce policy on their own, Chakrabarti argues. "Even if you have an organization that has a heavily empowered CIO, the reality is business would just find ways to get around the restriction."

Also essential to an effective policy are thorough reviews of third-party best practice guidelines. Symantec integrates into its products raw content from the guidelines of some key organizations, including The SANS Institute and The Center for Internet Security. Both institutions provide deep specifics on the subject. For higher-level guidance, CIOs should look to the International Organization for Standardization (ISO), and IT Infrastructure Library (ITIL), which offer UK-specific frameworks.

Of course, once policy is set, CIOs need to put an ongoing process in place to review and define these policies. Symantec recommends that policies be reviewed yearly. But monitored monthly or even more frequently. In terms of analysing compliance to those policies, research suggests the frequency of audits is the number one factor in reducing audit deficiencies.

The Security Compliance Council, which was formed by Symantec, The Institute of Internal Auditors and the Computer Security Institute, recently wrapped up a survey of 671 companies to better understand the state of regulatory compliance performance.

A mere 11% of companies surveyed were achieving stellar data privacy and protection performance results. Their behaviour showed that the way to reduce deficiencies was to conduct an internal audit and security monitoring at least monthly.

Indeed, companies that monitor their security policies on a monthly basis showed 15 times fewer deficiencies than those who monitor every 8 months. "They can review the policies less often but monitoring is something you want to do monthly," Chakrabarti says.

CIOs also need to be able to surface how the enterprise's security process is doing. There needs to be visibility not just for the entire company but also its various departments. "You need to be able to show the number of violations per department per policy per year," Chakrabarti explains.

Of course, physically scouring through reams of data to determine violation statistics is time consuming, particularly in a company with hundreds of servers and possibly thousands of workstations and notebook computers. "Automation is key for getting your arms around it," Chakrabarti says. "Also, automation is key to lowering the cost."

Of course, this requires time and money from the IT department. But how much is enough? Chakrabarti says one of the biggest security challenging facing CIOs today is being able to lower the cost of assessing policy compliance.

The Security Compliance Council's research showed that companies with the most effective security policies spent at least 30% of the IT department's time on regulatory compliance and more than 10% of the IT budget on IT security.

The companies with the least number of deficiencies were spending nearly 13% of their IT budget on IT security. In contrast, companies with the highest number of regulatory deficiencies spent less than 5% of their budgets, the research showed.

Independent research house IDC also studied the cost analysis of policy compliance. A midmarket enterprise could expect to spend more than $2m to completely outsource its compliance operations during the first year, according to IDC. If those tasks were handled internally, the costs in manpower would be significantly lower - about $600,000 in the first year. IDC noted that this figure did not include opportunities lost because staff in compliance was not available for other activities.

Regardless, the cheapest option was the use of an automated system, which came to about $400,000 in the first year, IDC determined. Beyond that, once the software is up and running, the cost is nominal because the system requires only software maintenance, IDC said.

Put simply, during a three-year period, implementing an automated software package can cost up to 90% less than outsourcing and half of a manual process handled internally.

Symantec offers a broad set of tools to automate the monitoring of policy breaches, as well as policy compliance.

Antivirus software, for example, helps manage policy and policy compliance, Chakrabarti points out. As do network access control products from Sygate Technologies, which Symantec acquired last year. Sygate Enterprise Protection 5.1 enables companies to protect managed endpoints against known and unknown attacks with desktop firewall, host-based intrusion prevention and adaptive protection technologies. At the same time, the software secures networks against non-compliant endpoints and enforcing compliance on contact.

But, for the most part, Symantec products are enforcement focused. To consolidate all the different pieces of enforcement in one place against enterprise policies is a console that sits on top of these various applications, called Symantec BindView Policy Manager. BindView gives an IT department the ability to create a policy, and includes various recommendations on what policies ought to be, based on information from ISO, ITIL and others.

"BindView lets you have that dialogue through the Web with end users to modify policy, then grabs the actual evidence of compliance from the enforcement products," Chakrabarti explains. "And it grabs on a scheduled basis as often as you like."

Symantec recommends nightly checks. "The information would continue to come in every night and stay up to date, but your analysis of the reports going up to the CIO level is something you'd want to do on a monthly basis," Chakrabarti says.

The CIO would review the analysis monthly and probably wouldn't need to escalate it to the CEO unless there was a severe anomaly, he adds. Otherwise, the CEO may want to receive a quarterly update.

Part of the policy equation, of course, is an enterprise's mobile workers. Symantec AntiVirus 3.5 for Handhelds Corporate Edition works on smart phone operating systems, including Pocket PC 2002/Windows Mobile 2003 for Pocket PCs and Palm OS 4.0 or later. There also is the Symantec Client Security product for Nokia Communicator. Chakrabarti notes that Symantec's antivirus platform could report back into BindView.

Symantec currently offers no anti-virus program for BlackBerry devices, but SMobile Systems late last year launched the first anti-virus product for Research in Motion's full range of BlackBerrys, called VirusGuard.

There also are products from other vendors to protect Symbian-run smart phones, notably the F-Secure Mobile Anti-Virus platform.

Symantec's internal policy for smart phones is that all corporate devices and their intellectual property are the property of Symantec and are password restricted. That means every time an employee uses the device, even just to make a phone call, they must type in a password. "It's not fun, but from a corporate perspective it's necessary," Chakrabarti explains.

Also, Symantec Sygate Enterprise Protection provides admission control for corporate notebooks - who to admit and to what extent they will be admitted to the corporate network. For example, the software may determine that a particular worker would have less privilege and less access when working from a local Starbucks compared to their colleague in a more secure wireless location.

Beyond that, Symantec also advises that the IT department ensure that only remote users with a personal firewall, patches and anti-virus software running and up-to-date are able to access the corporate network.

Not only does BindView help CIOs establish, monitor and automate security policies, it also dovetails into patch management. Symantec's system can show when a machine or application is missing a patch, so the IT administrator can then trigger the deployment of the patch. "We don't automatically trigger remediation," Chakrabarti says. Some regulatory mandates require a separation of those who monitor patches and those who deploy them, he points out.

One of the most egregious high-profile cases of breaching policy was at the Driver and Vehicle Licensing Agency in Swansea. In late June, the agency sacked 14 workers who were sending so many pornographic email attachments to people outside the organization that it overwhelmed its mainframe computer. Among the culprits who downloaded the off-limits pornography from the Internet during working hours was an executive officer.

The DVLA said it has since introduced tighter policy controls to monitor all emails with images attached, but the embarrassing national media attention it generated threatened to undermine the agency.

But what kind of disciplinary action is appropriate and how can enterprises avoid a breach escalation similar to DVLA's?

Chakrabarti says it is important for CIOs to communicate to employees what is incumbent on them. Using Symantec's web-based communication tool, employees would then be required to click a box to confirm they had read the policy and agreed to comply. This agreement then needs to be stored, because it may act a legal safeguard for the enterprise.

"I don't think we're any longer in a place where we can slap people on the wrist and say don't do this again," Chakrabarti says. "We literally need to say 'this can result in termination of employment'. There has to be a rapid escalation path. The first time you have a discussion with the VP of your business unit, the second time you're terminated."

Since there are so many potential legal ramifications of disciplining workers who breach policy, it's difficult to come up with a one-size-fits-all approach. Bear in mind, a company may be held legally responsible if it does not take steps to discipline or terminate a worker whose breach offends another worker.

A committee should be formed to review policy violations and determine disciplinary actions, Chakrabarti argues. That committee should include board members who are not employed directly within the company, as well as internal employees.

Above all, CIOs should not treat security policy as a project. Too often, policies are the result of a violation and are set up within a specific time frame. Once completed, CIOs often then move onto the next project. "Compliance is not a project, it's a process," Chakrabarti says. "You need to stick with it … otherwise, you're just throwing away money."

CBR Opinion
Ideally, at least 10% of a company's IT budget should be spent on security policy. But CIOs must ensure an ongoing dialogue with each department head to set an effective, workable policy, and each employee should be asked to sign a document stating they understand what is required of them. Any worker with a corporate mobile device must also be part of the company-wide policy, while monitoring should be automated and daily. In the absence of a serious violation, CIOs should review monthly reports, while CEOs should expect quarterly updates. Policy review and dialogue must be ongoing, and be periodically assessed by a corporate committee.