Internal Security Policy and the “Wild” Web 2.0 Frontier
by VPNHaus | 07/15/2010 |Industry Commentary
By <a href="http://www.linkedin.com/profile?viewProfile=&key=13042025&authToken=vBT5&authType=name&goback=.mid_I2191816620*42">David Torre</a>
Internal information security policies have existed within the enterprise since the dawn of the information technology era. Viewed by many as a necessary evil and simply a check box compliance item, the overall value of a well-written internal security policy has become, perhaps ironically, now more important than ever in a world saturated with digital information.
Traditionally, internal policies were developed to demonstrate an organization's commitment to information security, and to provide clear and consistent computing guidelines for which all employees must abide by. Even today, such time-honored objectives still remain relevant. Yet as mobile and cloud computing continue to shape the information technology landscape, it has become increasingly difficult for information-wielding knowledge workers to protect the organization's most cherished asset: intellectual property.
As if protecting trade secrets from peering outsiders weren't challenging enough, security professionals are also faced with threats that originate from within the enterprise. While tales of malicious insiders or corporate espionage make for intriguing conversation, most of us working from the trenches have discovered that perhaps the most significant risk to the organization is that of the naive end-user; one who cannot easily discern between safe and unsafe information handling practices. Consequently, this presents a dilemma of where to draw the line of acceptable levels of security aptitude. Take for example a cloud-based solution which is blatantly advertised as being "enterprise-friendly," or a consumer smart phone that ships with a "Connect to Exchange Mail Server" icon on the home screen. It's easy to see how users may become perplexed when attempting to determine where the corporate IT boundary ends, and where the still somewhat "wild" Web 2.0 frontier begins.
Fortunately, a clearly defined security policy can forge the foundation needed to cope with present information challenges. Such internal policies can, and should, go beyond the traditional form of abstract language lurking deep within the dusty corners of the corporate Intranet and instead foster an environment of understanding and education. In essence, the function of an internal security policy is somewhat two-fold. On one hand, it legitimizes the importance of information security and provides security staff with the power of enforcement with documented repercussions for those who choose not to comply. Conversely, the very same policies are advantageous for the end-user as they provide clear-cut guidelines which not only aid in risk reduction, but may actually empower the user community to stay competitive by making intelligent information handling decisions that are congruent with overall corporate business strategy.
Of course, some internal policies are driven by legal or regulatory compliance obligations. Common areas include Payment Card Industry, HIPAA, and SOX to name only a few. Yet just because policy supports legal or regulatory requirements does not mean the policy itself needs to read like a legislative bill. Composing the policies in straight forward language everyone understands will ensure compliance is maintained.
In summary, strong internal security policies are the cornerstone of an information security management system. By providing unambiguous guidelines for corporate computing and information handling, such policies ultimately reduce risk, and increase employee awareness.
David Torre is a security consultant and CTO of Atomic Fission. He is based in the San Francisco Bay Area.
[tweetmeme source=”vpnhaus” only_single=false]