Determining Rules and Defining Compliance
Users within a corporation must abide by its rules, making it incumbent upon the organization to ensure that its policies are logical, fair, ethical, and germane to computing and security jurisprudence. Corporations must ensure that they act not only within the law but also within the spirit of the law. This section considers the following topics:
Issues have recently surfaced that bring new emphasis to the phrase "acting within the spirit of the law." Many have argued that laws governing corporate behavior shouldn't necessarily dictate strict rules of conduct, because rules can be misinterpreted, misunderstood, or simply gotten around. It is argued that because one cannot misconstrue the spirit of a law, the business community might be better served by a system that encourages adoption of that spirit.
The Internet has made various materials more accessible than ever, and certain copyrights can prove difficult to protect. While legislation is working hard to keep up with technological advancements, enforcement can be another issue. Corporations have long respected copyright laws on software, ensuring that counterfeit copies of software are forbidden on company property. But inappropriate e-mail and file deletions are still a relatively new issue, and only recently have they become synonymous with document shredding.
HR departments are using security technology to protect individuals'privacy, and corporations are making certain that all copyrights they encounter are respected. Organizations are becoming exceedingly more diligent in all aspects of their computing environments, ensuring that compliance to laws is strictly adhered toboth to the letter and, increasingly, to the spirit.
User compliance, or more specifically, observance and adherence to company rules, plays a major role in security policy. The concept of "inspect what you expect" means that an organization should follow up on policy compliance and not just assume its users are following the stated rules. Whether the evaluation is log analysis or Internet tracking, the organization must check, or inspect, to ensure that rules are being followed. Note that most rules are not invasive and exist primarily for the safety of both the user and the employer.
Users are tasked with keeping company equipment safe while it is in their possession. For the typical corporate user entrusted with company property, that usually means a laptop computer. Keeping the equipment safe can run the gamut from restricting Internet browsing to appropriate sites and not loading third-party software, to ensuring that the laptop is locked when not in use. When traveling, a laptop and related equipment should be secured in a safe room. If one is not available, equipment should be placed in a locked suitcase. Thieves typically remove items from hotel rooms that are easy to conceal; suitcases are not typically stolen.
Users need to be aware of their surroundings, even when they are traveling within a city. Three employees of a large enterprise had just completed a sales call late one afternoon when they decided to have dinner before returning to their hotel. Traveling together in a nondescript sedan, their laptop computers securely hidden in the trunk, they confidently parked the car in a well-lit area and went into the restaurant for dinner. Potential criminals are everywhere, and the person watching the three clean-cut men in business suits emerge from their car at 5:30 p.m. and walk to the restaurant empty-handed, probably quickly surmised that laptop computers could be in the trunk. After dinner, the three men returned to their car to find the trunk lid damagedand their computers gone. Security means not merely following the rules but interpreting them so they are relevant for every situation.
While organizations compile comprehensive regulations that are relevant to their mandates when determining rules for user compliance, the following guidelines are applicable to most companies:
A clearly defined Internet policy must be acknowledged by all users.
A system policy must be in place that clearly states unacceptable computing behavior, requiring the user to consider the spirit of a policy and not merely its black-and-white rules.
A process must ensure that company confidential documents are never stored on a user's hard drive. Rather, any documents that are labeled private, or confidential, could only be stored on the company server, as an example.
Wide use of monitoring tools can aid in identifying misuse. For example, intrusion detection systems (IDSs) look inside a packet to ensure that the payload is what the header claims it to be.
The organization could provide constant reminders encouraging users to comply with safety rules, for example, pop-up screens that contain warnings, reminding users to log off when they have completed a session. Or, the organization can establish an enforced logoff after a specified period of inactivity.
Appropriate personnel should know relevant state, local, and federal law enforcement officials.
Appropriate personnel should be well versed in legal requirements that are germane to the specific industry to which the organization belongs, or the county in which it resides.
If certain users are responsible for employing third-party service providers, the user responsible needs to ensure that the service provider has adequate, and auditable, security to ensure the corporation's privacy.
Lists can be endlessthe challenge lies in delivering the organization's intent without the message becoming stale. By engaging in a practice that promotes continual education, users can be well versed in their employer's mandate, fully comprehending how its security posture is instrumental in helping the organization achieve its goals.