The officers agreed that one of the fundamental building blocks of a sound security strategy was to create and enforce a policy that adequately reflects the risks and requirements of that organisation. However, at the Alphawest 2005 IT Security Symposium in Sydney today, attendees were given two very different views on how to tackle the problem.
Martin Laing head of IT security at French banking group Société Genéralé, told the delegation that security policies ought to be "comprehensive and cover every conceivable area of security".
"All our risks, whatever and wherever they may be, must be identified," said Laing. "If we are concerned that our staff have the ability and access to do something that could cause some concern then we must take some action to handle that situation. We need to make sure staff see [security] as their day-to-day job."
However, John Talbot, head of infrastructure services at the Commonwealth Bank's Wealth Services Division, said he prefers to enforce a "one-page culture" when it comes to the security policy because anything more is "waffle".
"If it is over one page, you are either waffling or there is too much you are trying to share with people. So cut it down and make it into something that is digestible," said Talbot.
Talbot explained that when first started working for the Commonwealth Bank, although the security policy was comprehensive, it was unenforceable.
"I saw their security policy, which was 127 pages of marvellous information. The idea of clear and enforceable was lost. The IT security team in my group have distilled that down into something we can absolutely understand -- and it is enforceable," said Talbot.
Société Genéralé's Laing, who did not reveal the length of the organisation's security policy, argued that unless a security policy is comprehensive and strictly enforced, vulnerabilities will develop: "Lets assume that our firewall administrator makes a change. Maybe he has made a mistake but maybe it is malicious. The changes might not be serious immediately... but they could let death into our doors".
According to Laing, it doesn't matter if the changes were a mistake or made maliciously because an enforceable policy would help reduce potential vulnerabilities.
"Whether [the change] is deliberate or not, without any control, process and approval, the result has the potential to be the same -- a new vulnerability. The point is it is one individual to blame not the technology,' said Laing.
It is well known that people are the weakest link and without an easily digestible, measurable and enforceable policy then you'll always be playing catch up. I believe the right approach is what works for the organization in question and sometimes this takes a little bit of experimenting.
I totally disagree with Laing that all risks must be identified, maybe he was nervous up on stage but most security experts will tell you identify what matters to you, the impact of its loss in terms of disclosure, alteration, and denial / destruction (inverse of confidentiality, integrity and availability) and then start focusing your threat / risk assessment in this area. It achieves better cost / benefit but doesn't capture everything but then that's never practicable or realistic.
Graeme
graeme.thorne@gmail.com