By Matthew Southwell
Local enterprises finally appear to be buying into the need for effective security policies that regulate user behaviour and help protect companies from costly security breaches.
Local enterprises finally appear to be buying into the need for effective security policies that regulate user behaviour and help protect companies from costly security breaches. Furthermore, they have even cottoned onto the fact that these policies have to be communicated to staff if they are to succeed.
Evidence of this trend comes from a recent ITP.net survey, which reveals that 21% of users believe their company communicates security policies very effectively while a further 31% say their employer lays down the law quite effectively.
Although 22% of respondents to the spot poll accuse their company of ineffective communication, those of a sunny disposition could take heart from the fact that the users know such policies actually exist.
The need for security policies, and for them to be well communicated, is paramount as it is the ultimate ingredient in the security mix. No matter how advanced the tools offered by vendors become, they will fail unless user behaviour is well regulated.
“An effective policy covering all aspects of security, not just viruses, is important and what is more critical is actually implementing it within the infrastructure,” says Amer Farid, Habib Bank AG Zurich’s assistant vice president.
While there are no hard and fast rules for disseminating security policies, it appears as if the more inventive the delivery method, the more likely it is they will stick in a user’s mind. Almarai, for example, uses posters, flash cards, e-mail messages and classroom sessions and the Saudi dairy monitors policy adherence with its remote PC diagnostics package.
Elsewhere, Dubai Refreshments has taken a more hands on approach and taken users aside and explaining why security is important and following this up with e-mails and official warnings, if necessary.
In the same way as there is no official rule as to how security policies are communicated, there is no law governing what they should cover or how detailed they should be, Vernon Fryer, head of information security at Information Management Technologies (IMT), believes they should be short and to the point so as not to put the reader off.
“Some people are creating extremely thick policy documents and a typical example of a corporate security policy is sometimes 50 or 60 pages. This normally should not be the case. A policy document should never ever really be more than five pages. It should be considered as a guideline from top management,” he says.