Imagine for a moment that you are a building contractor and are approached by a client who needs to construct an office. "Blueprints? No, we don't need them yet," the client says.
"This isn't really a priority yet, so we want only what's absolutely necessary; let's start with a single wall to block the view from the street. We'll try to put up one of those fancy new roofs before rainy season, and hold off on a foundation and the other three walls until we have the money to do it right. Our people will draw up blueprints later, when they have some spare time," he concludes.
While the typical contractor in this situation would direct the client to a good psychiatrist, the great majority of businesses take precisely the same approach to network and information security.
Focused on an immediate return on investment, new funding or market share, upper management typically has little interest in security and provides few resources and no organizational support to lock down a corporate network.
IT staffs are forced to address problems in piecemeal fashion, as they arise (or as upper management reacts to the latest news story or marketing hype), and the result is an architectural disaster waiting to happen.
Every company has a different set of security needs and threats; as such, the first step in creating a security policy is an assessment of the situation.
Begin by looking closely at the customer and its data. Most businesses possess much more sensitive information than they realize - what kinds of information does the business possess, and which types are most sensitive? Is the primary concern confidentiality (keeping merger and acquisition plans secret), or integrity (preventing alteration of medical records)? What would be the repercussions if that data were stolen or altered? How long does the data
have to be protected?
Keep in mind, however, that data is not the only resource attractive to attackers. While few attackers are looking to steal CPU time in this day and age, quite a few are after free storage and bandwidth. Corporate servers are regularly used as unwitting distribution centers for pirated software, for example.
Other attackers may be interested in a host or network solely for its trusted relationship with another host or network. While often overlooked, threats to these resources can result in anything from damaged customer or partner relationships to legal liability.
Once you've determined what must be protected, the next step is to assess who it must be protected from. In the vast majority of cases, the primary threat comes from a company's own employees. As such, it is crucial to understand which resources are most attractive to employees, which are necessary for their job functions, and how they go about accessing them.
Other insiders, including partners, customers and contractors, are also potential attackers. How much access do these players have, and how much do they need? Outsiders - everyone from competitors to online thrill seekers - represent a relatively small security threat, but they also shouldn't be discounted as such.
Armed with a newfound understanding of its needs and risks, your client is now in a position to make some broad decisions about security posture.
Every security decision involves a trade-off - risk versus implementation/ maintenance costs, convenience and functionality. Each business and every businessperson possesses a unique level of risk tolerance, and it is thus up to the client to determine which risks to accept, which to mitigate and which to avoid entirely.
The bulk of the policy-development process lies in the next step: fleshing out the broad outlines of a security posture with concrete procedures and practices. Be prepared, because this is a substantial undertaking. A comprehensive list of security procedures will extend to almost every aspect of business operations, from IT, to human resources, to sales.
Constructing these policies requires a careful balancing act. An overly narrow policy will be of limited impact and will leave most problems unaddressed, while a 600-page tome will be used primarily as a doorstop. An overly vague policy will leave nonsecurity specialists in the dark, should an emergency arise.
Most procedures will involve simple, day-to-day business operations. How should remote users be allowed to access the corporate network? How should employees handle laptops? What kinds of information should be given over the phone or by e-mail? Who has access to what information? What kinds of employee background checks should be conducted?
A smaller subset of procedures defines the appropriate responses to a problem. If one employee observes a potentially innocent breach of policy, how should he or she respond? What is the fallback posture if a security tool breaks? Who, if anyone, should be allowed to override policy, and how should these people be required to authenticate themselves?
The final set of procedures addresses incident response and disaster recovery. If an employee discovers an intruder in the corporate network, who should he or she call? How should employees respond if data is compromised or deleted, or if equipment is sabotaged?
According to Dan Geer, CTO at @Stake Security, "The most important part of a security policy is to get across that it's everybody's problem." The ultimate success of any security policy hinges on the participation of employees without security training, so your policy implementation must include a strong training component, says Geer.
The CTO also advises keeping the policy simple. "If it's so complex that only a few people can understand it, you've collapsed the number of people on your security team; ideally, everyone should be on your security team."
Prepare short documents outlining those portions of the policy relevant to each department. Keep in mind that unenforceable rules may be worse than no rules at all.
And, above all, sell the policy to employees. Help them understand why such inconvenience is necessary, say security experts.
All of this effort may seem daunting, especially for those strapped for cash, but in the long run it will prevent expensive and disruptive remedial work.
As any experienced construction engineer will tell you, it's a lot cheaper to lay a good foundation than it is to clean up a royal mess.