Working in the information security arena for a number of years and facing various challenges along the way, I've come to recognize several key factors that must be considered in almost every situation. I've learned that you have to "Mind your P's" when trying to implement security controls. Although this set of ideas can be applied to most aspects of business, they're especially helpful in understanding the success or failure of a security program in a given organization.
This list began forming in my earliest consulting days, performing risk assessments. Our low-end engagement was referred to in-house as a "P&P"—our review of policies and procedures. The P&P was a good initial assessment to see whether an organization had laid the groundwork for a successful security program. Having set policies and procedures is crucial for any organization, for one simple reason: Without them, chaos rules, and day-to-day operations are inconsistent and ineffective. Policies and procedures clarify what the organization wants to do, why it should be done, and how to do it.
The foundation of all security is strong policies. A policy is an intent. It sets the expectations of performance as well as the standards of behavior for an organization. A policy guides decisions, provides consistency, and defines the corporate culture. To be effective, a policy must be clear and well-written, leaving little open to interpretation. The level of detail should be suitable for both the audience and the subject matter.
Further, and more importantly, it MUST be embraced by senior management. Without management support there is little chance of policies being effective in any group. Finally, an unenforced policy isn't a policy at all; it's merely words on a page.
A policy is only a set of guidelines; it's implemented as a procedure. A procedure is a set of discrete steps outlined to accomplish a specific task. Procedures normally include step-by-step instructions and any useful or required forms. These instructions and forms are used to ensure compliance with all standards and policies. A procedure documents and describes the who, what, when, and how in support of the implementation of a policy:
- Who performs specific tasks (roles and responsibilities)
- What forms and systems must be used
- When a task should be performed (daily, monthly, quarterly, and so on)
- How the task will be performed
Procedures can assume basic competency in the role of the person performing the task, but each procedure should be written in sufficient detail that the task can be accomplished by someone that has never previously performed this task. This rule ensures continuity in business operations in the event of staff attrition and turnover. Procedures generally form the "inputs" for a larger business process, which I'll discuss later.
Distinguishing Policies from Procedures
When combined, policies and procedures provide the basis for consistent behavior in an organization, regardless of the status or length of tenure of the people implementing the policies and procedures. By providing for relative uniformity, they make greater accountability possible. The differences between policies and procedures can be summarized as shown in the following table.
Guide decision making
Allow for managerial discretion
Detailed and rigid
Integral part of organizational strategies
Tactical tools for accomplishing the strategies
Generally formulated by top management
Laid down at lower organizational levels, in line with policies
A process is a collection of related tasks designed to meet a specific goal. A business process can generally be broken down into sub-tasks, each with its own set of procedures documenting how to meet this business goal. For example, you may hear human resources personnel refer to a "hiring process." The hiring process is a larger business process that includes discrete steps such as these:
- Sourcing candidates
- Screening candidates
- Conducting interviews
- Selecting and hiring candidates
- Administrative processes for new hires
Each part of the process includes specific steps or procedures that must be followed to accomplish the task. The analysis of business processes typically includes mapping of processes and sub-processes down to the activity level. Well-designed business processes increase effectiveness. Corporate policies and procedures generally support and even define processes of the business, and the processes themselves usually align with a specific department or business unit.
Practices can be broken down into two types: best practices and common practices. Let's look at the differences in these types.
A best practice (sometimes referred to as an industry best practice) is a method or technique that has consistently shown results superior to those achieved by other means. Most companies seek out related best practices as they develop their in-house practices to accomplish goals like these:
- Decrease time to implementation
- Benefit from the knowledge and success of other people or organizations
- Ensure compliance with legislation or industry standards
Many sources of best practice information and guidance are available for both IT professionals and security professionals. Microsoft even provides tools to check that critical server components are configured in accordance with best practices, with best practice analyzers for SQL Server, Exchange, and even Lync Server. The Internet Engineering Task Force (IETF) provides a set of best current practices for the Request for Comments (RFC) series that provided the basis for most Internet protocols. The National Security Agency (NSA) provides Security Configuration Guides that are considered security best practices, and the National Institute of Standards and Technology (NIST) provides significant guidance that is frequently considered best practice. Finally, let's not forget the SysAdmin, Audit, Network, Security (SANS) Institute, whose Reading Room has a section dedicated to best practices.
No matter what has been formalized in written policies and procedures, or how well defined your business process, it may all be for naught. Most important are the common practices you actually have in place.
The typical explanation for ignoring formalized policies and procedures is "That's the way we've always done it." How often have you heard that excuse? Common practices are in place due to culture, habit, or even poorly defined policies and procedures. Face it—if you mandate procedures that are complex, cumbersome, or time-consuming, or they don't fit well with the task at hand, they'll be ignored.
I've repeatedly encountered certain common practices that violate security policies and procedures. Do you see them at your shop?
- Sharing a common administrative password among all system administrators
- Administrators excluding themselves from password complexity and expiration requirements
- Passwords that never expire
- Personnel "piggy-backing" through a secured entrance, without using their individual smartcards for entry
These violations don't seem severe on the surface, but they erode the overall security culture of an organization. If no one takes security seriously, eventually everything becomes less secure.
Do your policies include language about handling these violations? Policy should set expectations for behavior, but it should also outline consequences for violations—up to and including dismissal for repeated offenses.
You don't have to run for public office to become embroiled in politics. In business, politics generally refers to the use of power to pursue a personal agenda, regardless of the effect on organizational goals and objectives. Obviously this is the negative aspect of politics in any arena, and I'm sure you've encountered it from time to time.
You can think of politics as the "trump card" to everything else I've discussed thus far. I've seen political scuffles over implementation of the most mundane aspects of policies and procedures. Imagine starting a political firestorm over one of these policies on corporate computers:
- No games are allowed.
- Passwords expire every 90 days.
- USB drives are disabled.
Many years ago I participated in some standards working groups as we implemented the Federal Desktop Core Configuration (FDCC) guidelines for a government agency. For an entire day, I watched government agency representatives argue about whether the Solitaire card game should be part of the standard desktop configuration. Apparently some senior executives liked to play Solitaire at work. Unfortunately, politics can override any of your corporate policies, procedures, or best practices—at any time, without notice.
People make up every aspect of our businesses. People run the organization, perform day-to-day tasks, and eventually determine the success or failure of our efforts at developing and maintaining a strong culture of security.
People are the most important factor to consider in every aspect of business. As we develop policies and procedures to support our business practices, if we ignore their impact on people, we've doomed them to failure. It's interesting that we have computer systems that allow the use of a password such as password—and then we spend entire careers telling people not to do that. People want to do what's easy for them, but it's seldom the most secure approach. We have so many systems with unique usernames and passwords that it's easy to use the same password everywhere—but it's certainly not secure.
The challenge of implementing a good security program is to find the right balance between our need for security and our natural desire for an easy path. As we seek this balance, we need to guide the organization and its people through well-defined policies and procedures. If we don't provide guidance and direction, people will fall back to easier ways of doing business (common practices).
We strive to achieve best practices while avoiding the pitfalls of politics. It should be obvious by now that this is no easy task; be prepared to adjust your expectations over time. Policies and procedures don't need to be carved in stone—they can be modified over time, and they should be. But it's clear that we need to mind all our P's when it comes to information security.