No matter what the motivation, security policies are a solid fundamental toward a secure enterprise. Tools exist for helping in the creation of written security policies. Software applications are available to lead company security officers through a series of templates that define security policy standards.
Templates within these software applications exist for crafting security policies that meet a variety of guidelines. Policy templates include ISO 17799 for enterprises, a GLBA template for financial institutions, and a HIPAA template for healthcare organisations in the US.
The templates are critical, since writing an effective security policy is not easy. Templates help ensure that the security policy created is practical enough to be consistently implemented across an enterprise. Simply put, creating a policy without thought of implementation of that policy is a means to failure. As InfoWorld's Mandy Andress wrote in a November 2001, "There's a fine line between creating an enforceable policy and discussing the technologies used to enforce that policy."
Many security consulting companies understand the importance of security policies, but they also know that the vast majority of security policies are not implemented and instead are sitting on shelves collecting dust. And if they are implemented, policy compliance is verified only periodically, which is not often enough. Ongoing enforcement of security policies is vital, not only to eliminate the threat of security breaches, but also to ensure necessary compliance with federal regulations.
Quite often, internal threats to a network's security are caused by users performing legitimate actions that unintentionally cause significant security consequences. For example, when a user installs a new software package on a network desktop system, it could change configurations on the user's machine. These new configurations, such as altering password settings, leave the user's machine and ultimately the entire network vulnerable to security violations, intrusions and infiltration. The vulnerability might go unnoticed for days or weeks if the written security policy is not constantly and consistently enforced.
Enforcing the rules
Having a written security policy by itself also does not eliminate the threat of social engineering. The most effective means of preventing a social engineering attack is implementing a security policy that addresses these types of issues. In order for a policy to be effective, it needs to leap from the written document into operational configurations that can be enforced across a company.
Some companies achieve this manually by hiring personnel who can check systems against a security policy one system at a time. This process is costly and prone to human error. An alternate choice is security policy automation software that checks network configurations against defined policies. In addition, security policy automation encompasses auditing, or checking networks for inconsistencies and vulnerabilities and checking compliance on a system against the written security policy or against a "benchmark" or "golden machine".
Yet again, software is coming to the rescue. Solutions exist that allow IT personnel to ensure that specifications created by written security policy are enforced consistently across an enterprise. This process is not easy, as it involves translating the written policy into a set of guidelines for each machine. The guidelines describe the actual settings on certain machines, and they differ depending on the type of machine and the operating system it is running. These "implementation standards" define how the written policy can be established on each system within a company.
Beyond the creation of implementation standards, software exists to scan network systems to ensure that they are in compliance with the written policy vital concept for companies who want to prove compliance with Federal mandates. More importantly the software industry understands that enforcing the written policy consistently across a company is an expensive human endeavour, so solutions exist to handle this process. The software can even notify IT personnel when a system is out of compliance.
Consistent enforcement of computer policy completes the security policy automation process and makes written security policy live. Security policy automation works to identify any changes to the system environment that infringe on company security requirements. A company's security policy automation strategy should include a real-time method for checking the configurations of systems against the written policy.
Threats from all sides
The bottom line is that companies are facing tremendous pressure protecting valuable company information. Threats come from all sides, as in the case of social engineering, often from where you least expect it and can exploit even the most seemingly minor weaknesses in the network. In fact, the Carnegie Mellon University IT security research group CERT estimates that 95 percent of network intrusions result in exploitation of known vulnerabilities or configuration errors where countermeasures were available.
Traditional manual processes related to written security policies are doomed to failure due to limited resources, prohibitive price, and inadequate auditing techniques. To efficiently stay ahead of potential threats, companies should rely on security policy automation software to define, detect, deploy and document any violations and eliminate the threat of attacks.
It is no surprise that industry leaders are recognising the importance of security policy automation. "The biggest problem is the policy compliance management problem," said Scott Charney, chief security strategist at Microsoft. "How do you manage the growing complexity of security in the enterprise? There is a need and an opportunity for a coherent framework for the management of security systems."
"Security has new meaning to every American in every way," said Richard Clarke, White House Special Advisor for Cyberspace Security. "Security now extends to every company faced with the possibility of electronic threats to their intellectual property. I am excited by the activity within the private sector, including in the area of security policy automation, which will help companies protect their networks."
The White House and the US federal government are rapidly ramping up their influence on corporate security. The government is imposing federal guidelines, such as HIPAA and GLBA, to dictate protections that present a huge challenge to many companies. In addition, Richard Clarke's recent draft report, "National Strategy to Secure Cyberspace", touts the importance of security policies and the need to automate their implementation.
The report states, as one of its recommendations to corporations: "Create a regular process to assess, remediate [sic], and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats."
It is not surprising, in many ways, that the government is so actively involved. Back in 1995, it was the FBI that ultimately caught Kevin Mitnick and presented his case to a federal judge. It was that case that frightened the judge and landed Mitnick in a padded cell simply because of the power of computer hacking and social engineering. Thankfully, that power can be monitored closely thanks to software products that implement and automate written security policies, making them the bedrock of a secure enterprise.
Roberto Medrano is chief executive officer of PoliVec, a provider of automated security policy software. He is also founder and first vice president for Hispanic-net, a non-profit organisation.
