Policy patrol

With a number of high-profile data breaches in the news, companies are increasingly looking to shore up their shakey IT policies with solid examples of best practice. Imthishan Giado asks security experts for their advice.

When it comes to top priorities within an enterprise, IT policy often ends up lowest on the list - and it's not difficult to see why.

After all, a comprehensive IT policy that demarcates usage of IT infrastructure and regulates data handling to prevent misuse or loss is essentially a bill of restrictions for users.

It gives them little incentive to follow yet another set of rules telling them what they can and cannot do.

This does not negate the fact, however, that instituting an effective, strictly-enforced IT policy is essential to ensure that regional enterprises do not suffer the kinds of embarrassing incidents of data leakage that have plagued government organisations in both the UK and US.

Nor do firms want to experience situations where highly-placed employees manage to leak confidential information or trade secrets for either profit or out of spite.

This isn't however, to say that companies in this part of the world operate completely without the safety net of an IT policy.

The problem, says Faisal Khan, senior security consultant for McAfee Middle East, lies in the fact that many firms do not adequately explain to employees that rules and regulations exist.

"People put security in HR manuals here and there, which no one reads. So you need to market security policies across your employees. People don't need to enforce security - they need to market it as an acceptable option to the human mind. Once accepted, they'll start understanding it. But the hard route is backing it with HR policies and strict guidelines and everything which should always be there, provided you have enough education for your employees," he says.

Vineet Chhatwal, managing consultant for the Global Business Transformation Group at PA Consulting agrees, saying that many departments waste valuable time writing thick rule books which people simply ignore.

He suggests a better way of looking at policy: "You should break it down into two parts. One is the mandatory processes which everybody needs to follow, irrespective of where you are in the organisation.

Second, in a lot of companies when you sign your letter of employment or attend induction programmes, they're now increasingly dedicating at least half an hour to talking about specific information security issues and typical dos-and-don'ts.

It's this whole thing about architecting a policy in a comprehensive manner and breaking it up into parts that are easily digestible capsules, you basically should give it to them byte-size so people can quickly have a look at it and understand what's required," he continues.

"The third part is about ensuring continuous IT security awareness - which is still sort of non-existent in most organisations. You can have a brilliant security policy, make people aware of it in the induction programme - but things keep changing all the time and then there are only piecemeal messages. Just like you have a disaster recovery test, you need to have security awareness events. If you get these three components all right, then you get the right balance between the investment you make in security and the value that you get in terms of secured assets," says Chhatwal.

IT policies aren't tremendously difficult to write, but Chhatwal notes that that many firms stumble by doing too much work trying to protect every single piece of data they possess.

"The policy has to be linked to whatever information assets that you're trying to protect. Everything doesn't need to be protected equally. If you're a large organisation and you're trying to protect everything based on the highest level of security, the system overheads will be huge," he says.

"So the key thing to do is define your information access based on the risk that you're exposed to. Different companies apply different methodologies. Some assess the public relations issues around a leak or a possible competitive advantage. There are some which in a high transaction kind of environment, look at availability issues and what kind of downtime is needed after a system is compromised," adds PA Consulting's Chhatwal.

When it comes to monitoring employees for actual violations, McAfee's Khan is a strong advocate of using video cameras as a form of subtle vigilance:

"It's all psychological. If there are cameras above you, even if they're not working, the guy will not try to steal. Let employees know they're being monitored - they won't do anything wrong. This will stop 80% of the regular employees from trying to do something wrong. For the remaining 20% who are too smart - we need cameras to monitor them."

There are some, however, who say that this approach will in fact have the opposite effect of engendering a sense of hostility among users who feel slighted at the lack of trust from senior management.

Ivor Rankin, practise manager, operational security services, Symantec MENA says these fears are natural - but largely unfounded.

"We're not advocating an Orwellian-type society where every individual is being monitored 24/7. The organisation has the right to monitor for violations of acceptable usage policy and to deal with these violators. Even though it's a controversial topic, the fact is that technology, if used intelligently, can give a good idea through monitoring employees of what is actually happening without being invasive and looking at people's personal documents," states Rankin.

"People think that when we talk about real-time monitoring of systems that we're going to be infringing on their privacy, going through personal documents and logging every key stroke that they type. Although it may happen in one or two organisations around the world, it's generally not the way most organisations operate," he adds.

Tareque Choudhury, head of BT's security practice offers a different take, saying that many enterprises are looking for outside monitoring:

"We're seeing a lot of popularity in outsourcing monitoring to external companies like CounterPane and Qualys.They do trend analysis - if they see something happening, they alert you. We are seeing companies going that route and I think it's inevitable. Managed security services will be a really big thing in the next 18 months."

Chhatwal warns, however, against enterprises that move too far onto the side of technology and disregard the human element that is also involved:

"You shouldn't automate for the sake for automating, which leaves you with a very secure automated frontier protecting information that might be better guarded by physical security.

"From a compliance point of view, if you have an internal audit department, I think they have a big role to play as far as compliance is concerned. For example, who's monitoring the IT manager himself? It's a balance you have to find between the compliance groups," he continues.

The actual violations that occur can vary considerably in severity from installing unauthorised applications to actual intent to profit from valuable internal data.

McAfee's Khan says the response to detection of a violation should be swift and uncompromising - especially if employees choose to go ahead and break rules after being trained on the rules of the policy.

"If we give an employee a fully locked down company notebook, who then goes home and installs applications, he has clearly violated the code of conduct and ethics of IT policy even though you have educated him. That needs to be backed up by HR either with a warning letter or a couple of letters in sequence. At McAfee, we give three warning letters - after the fourth, you're terminated, my friend," he cautions.

PA Consulting's Chhatwal suggests that most violations are not intended to harm the organisation, but can stem from more petty concerns:

"Sometimes, they are internal in terms of people peeping across various projects or trying to get each other's salaries and stuff - which is very common in the Middle East. I once received a torn envelope containing my salary slip. So there are very limited ways in which you can control that."

But other infringements, he adds, are not so benign:

"If you look at banking, there are so many new companies despite the fact that everyone says the UAE is overbanked. Interacting with them, you realise that whole teams have moved between organisations and they do tend to walk away with a lot of customer information.

"In the case of retail, let's say you want to target credit cards which is extremely competitive. If you have a ready database of people and you know which cards they're holding, that's valuable information - and something that companies need to be very careful of," finishes Chhatwal.

At the end of the day, says Symantec's Rankin, security is a culture that has to be bred and instilled within an organisation:

"The simple fact that I can hand you a set of policies does not necessarily mean we've actually accomplished anything. Unless those policies are practical, implemented and well understood, they're meaningless.

"From a management perspective, if I cannot measure the effectiveness of my policies through audits and enforcement technology and looking at the number of incidents, then those policies are ineffective as well," he concludes.

The 90-minute solution

McAfee's Faisal Khan provides a novel solution to the problem of employees spending too much time on the internet.

"We cannot work eight hours a day only at work, we need to go on the Internet, read some news, change our minds. One of the best mechanisms is to implement a quota-based policy. Every employee has a right to do his internet surfing at his leisure or for 90 minutes a day. Every time an employee goes to Google, he's using his quota time.

If we had given him 45 minutes or one hour, it would seem like we were being animals to the employees. 90 minutes isn't two hours, it's not one hour, it's one and half hours and psychologically sufficient. When we saw the trend over a period of usage, people hardly even used 30 minutes in a day," he says.

Taking the law into your own hands

When an employee commits a very serious offence, it may be necessary to consider taking legal action. However, this is difficult in countries like the UAE, where the laws with regard to IT violations are antiquated.

"The UAE does have a very old computer misuse act. It's primitive but I've spoken with the TRA and they are looking at updating it. Today, there is no law that can actually prosecute someone for a major violation such as defacing a website, releasing malware and so on," says BT's Tareque Choudhury.

McAfee's Faisal Khan disagrees, saying: "The UAE has been a leader in developing these laws over here. They're still in progress - but we have reached a stage where we can really prosecute people because it requires forensic evidence. You cannot prosecute anyone until you have technologies to prove that they did it."

The problem is entirely physical

Symantec's Rankin says enterprises need to consider the broader aspects of physical security.

"How well can outsiders socially engineer their way into the organisation, including datacentres? Can strangers enter and leave with laptops? This is an area that very few organisations have ventured into, taking a look into how good is their overall security culture.

"We've done some very successful physical penetration tests and social engineering for very large organisations and it's quite shocking how much we're able to get away with, especially when you look at it in the context of the country it was done in.

"If I go to a largely governmental organisation where the people are of a specific nationality, I should stand out immediately as a foreigner. The fact that I was able to get into the most sensitive areas of an organisation and be able to photocopy and leave with certain documents for the CEO just proves how weak the security was," he says.