Home > Articles > Cisco Network Technology > Security > Policy, Personnel, and Equipment as Security Enablers

Policy, Personnel, and Equipment as Security Enablers

Chapter Description

Policy plays an integral role in security effectiveness. Educating users on their responsibility to enhance security can have a twofold effect: It ensures that deployed equipment can perform tasks with greater effectiveness, and it creates an environment that encourages and supports individual responsibility.

Mobilizing the Human Element: Creating a Secure Culture

The development of a secure computing environment requires high-level sensing, detecting, filtering, authenticating, encrypting, and authorizing equipment to be purchased and disbursed across an organization's appliances and systems. The process of establishing an enhanced security environment reaches well beyond physical equipment in an attempt to bring together an organization's most diverse component: its people.

This section considers the following topics:

  • Employee involvement

  • Management involvement: steering committee

Employee Involvement

It is becoming increasingly incumbent upon organizations to foster a culture that embraces security as an employee-initiative program, rather than a set of top-down rules imposed on users. Most employees have a genuine desire to maintain a positive working environment, and if they are informed about issues and understand what is at stake, they are more likely to become vigilant participants in the security process. Employee education can spell the difference between creating a security culture and merely installing equipment to build a security system.

Education can take many forms, but setting a tone can begin the moment an individual joins an organization. By incorporating security expectations in every job description, or statement of duties, individuals not only understand what is expected but also recognize the organization's commitment to having its employees accountable for security. The more prominence the statement is given on a job description, the greater its impact for each employee.

Orientation programs can be ideal forums to begin the process of disseminating security information, allowing new users to acknowledge the following policies of an organization:

  • Internet policy

  • E-mail policy

  • Hardware and software policy

  • Physical security policy

In recent years, organizations have become more diligent in checking business and personal character references during the hiring process. They delve deeper into resumes, substantiating employment periods, academic degrees, and other pertinent claims a prospective employee might make. Certain organizations are extending this practice to include contract, part-time, and temporary workers, ensuring that agencies that provide such people perform exhaustive identity checks before they are approved for work.

Management Involvement: Steering Committee

Organizations can have departments that are so diverse that it can be challenging to get its different factions moving in the same direction. From R&D and finance to warehousing and investor relations, finding common ground can be a challenge unto itself. While security is not the great leveler, it is an element that runs through every fabric of an operation. Every user is capable of wreaking havoc, and every individual is responsible for the sanctity of security practices.

Creating a security culture can be enhanced by the formation of an inter-departmental senior-level security steering committee. The direct involvement of leaders from distant groups can create positive ripple effects in the organization. Senior managers can do the following:

  • Bring pertinent issues to the fore

  • Be required to understand the needs of other departments, and the organization, in their quest to achieve a process that benefits all

  • Provide a reliable litmus test to determine whether potential solutions are overly restrictive and could result in negative implications, such as users circumventing the rules

  • Have a stake in the process, which makes them better equipped, and more inclined, to ensure implementation in their own departments

The steering committee concept can be a positive forum for senior managers to develop corporate policy in an area that is normally outside their sphere of influence. No single entity of an organization is an island, and bringing senior managers together under one umbrella can have a twofold effect: It can help to ensure the organization's security, and it can create an avenue for the pertinent corporate discussions that naturally ensue.

6. Creating Guidelines Through the Establishment of Procedural Requirements | Next Section Previous Section