What is better; a one-page security policy that is clear and simple or a policy that is comprehensive and covers every conceivable risk? Security officers at two separate financial institutions argued their cases at a security conference in Sydney on Tuesday.
The officers agreed that one of the fundamental building blocks of a sound security strategy was to create and enforce a policy that adequately reflects the risks and requirements of that organisation. However, at the Alphawest 2005 IT Security Symposium in Sydney today, attendees were given two very different views on how to tackle the problem.
Martin Laing head of IT security at French banking group SociÃƒÂ©tÃƒÂ© GenÃƒÂ©ralÃƒÂ©, told the delegation that security policies ought to be "comprehensive and cover every conceivable area of security".
"All our risks, whatever and wherever they may be, must be identified," said Laing. "If we are concerned that our staff have the ability and access to do something that could cause some concern then we must take some action to handle that situation. We need to make sure staff see [security] as their day-to-day job."
However, John Talbot, head of infrastructure services at the Commonwealth Bank's Wealth Services Division, said he prefers to enforce a "one-page culture" when it comes to the security policy because anything more is "waffle".
"If it is over one page, you are either waffling or there is too much you are trying to share with people. So cut it down and make it into something that is digestible," said Talbot.
Talbot explained that when first started working for the Commonwealth Bank, although the security policy was comprehensive, it was unenforceable.
"I saw their security policy, which was 127 pages of marvellous information. The idea of clear and enforceable was lost. The IT security team in my group have distilled that down into something we can absolutely understand -- and it is enforceable," said Talbot.
SociÃƒÂ©tÃƒÂ© GenÃƒÂ©ralÃƒÂ©'s Laing, who did not reveal the length of the organisation's security policy, argued that unless a security policy is comprehensive and strictly enforced, vulnerabilities will develop: "Lets assume that our firewall administrator makes a change. Maybe he has made a mistake but maybe it is malicious. The changes might not be serious immediately... but they could let death into our doors".
According to Laing, it doesn't matter if the changes were a mistake or made maliciously because an enforceable policy would help reduce potential vulnerabilities.
"Whether [the change] is deliberate or not, without any control, process and approval, the result has the potential to be the same -- a new vulnerability. The point is it is one individual to blame not the technology,' said Laing.