In the Information Technology (IT) world, technology is king. But in information security (IS), technology is just one support of the overall IS function. Since information security involves giving direction to people’s activities interacting with sensitive information, a balance must be achieved between the “three-legs” of information security management; people, processes and technology. Let’s break these down individually.
Security begins with each individual, whether authorized, or unauthorized, accessing and protecting information. In many of these interactions, technology isn’t even involved (i.e. speaking to another individual, talking on the phone, physically handling paper records, etc.). So the first leg of protection has to be “People”.
In order to start working with people you have to start with trust. If you can’t trust your workers to only access that information they’re authorized to see, or you can’t trust them not to disclose sensitive information they know, then the battle is already lost. Yes you can take disciplinary actions against an employee for a violation of a corporate policy, or criminal action in the case of fraudulent activity, but this is “closing the barn door after the horse gets out”. When it comes to interacting with people, proactive security activities are the better road to take.
Do periodic background checks – Doing a background check on people who handle sensitive information when they join the company is always a good idea, but don’t stop there, do periodic checks. People’s lives change, and unfortunately not always for the better. That trusted administrator who joined the company a decade ago may now be financially influenced to sell sensitive company information due to a long-term illness or layoff in the family.
Know who handles sensitive information – Seems a no-brainer that you’d know who has access to sensitive information. The reality is, in today’s complex organizational structure, without a close examination, you may not discover who has this access. Information, depending on the associated data a worker has access to may become sensitive without management’s knowledge. The Navy did a study during World War II where a series of sailors calling home each had a small piece of information about their deployment. When the war office put all this data together they learned where the ship was going, how long is was going to be there, its basic mission goals and other critical information that would have aided any enemies who were listening. The Navy started the campaign of, “Loose lips sink ships” understanding that even the lowest ranks had information that could be detrimental if exposed.
Do security training for all people handling sensitive information – Making people aware of the policies and procedures around protection and proper access goes a long way towards achieving a good information security program. The employee learns what is expected of them and the corporation gets a good security citizen that can also augment the company’s security personnel by keeping their eyes and ears open in reporting unacceptable behavior.
Create a communication channel of trust – Get affected workers involved in new security programs. Allow business managers to voice their requirements. Involve key stakeholders in security decisions. As humans we have some of the most sophisticated communications capabilities among all the species on Earth, use them. Throwing information security initiatives over the wall to managers and employees is unacceptable in today’s business environment.
Policies & Processes
OK, you have the eyes of the people upon you, so what’s next? You have to provide guidance on what actions are acceptable and not acceptable to the organization. It’s one thing to tell people they have to protect information, but you have to provide instructions on how the company wishes this to happen.
Develop policies and processes that make sense – I periodically review policies and processes for my clients. There’s nothing worse than to find a series of policies and processes that don’t reflect the culture or organization of the enterprise. Asking for people to stop their actions while they wait for someone to authorize an action that isn’t in their chain of command, doesn’t have this decision as a priority, or is difficult to contact will cause the process to fail. When you create policies and processes they must reflect the real-world your organization operates under.
Create an “enforceable” set of policies and processes – I once worked with a company that had a policy that stated, “All sensitive information must be encrypted at rest.” So I asked if this meant that every database and LDAP directory they had all ran encryption software. Of course the answer was no, it was a best-practice policy developed by an outside consultant for the company. So my question is “Why take the time and effort to write a policy or process if it isn’t enforceable?” Either people won’t abide by it, or worse, they will create their own alternative processes that make their job actions easier, not necessarily making the company more secure.
Make the policies and processes easily accessible – Keeping these documents (electronic or paper) under lock and key doesn’t help anyone. Distribute these freely to the management and workforce. In addition, always note at the top of each document who the responsible person is for maintaining this document along with contact information. People may need to review a particular policy or procedure in a time of crisis and having to take the time to hunt down the document may be the difference between a successful or unsuccessful detrimental activity to the company.
Update them on a periodic basis – Conditions change, opportunities come and go, legislative and corporate compliance efforts may grow, as such, a good company periodically reviews ALL their policies and procedures, but not all at once. Create a review schedule that reflects the rate of change and resource availability of the company. A company I worked with has about twenty-five corporate policies. Of these, five are reviewed in detail each year meaning that every five years the entire set of policies get a makeover in a round-robin process. Of course if you decide to do this, the information security office should work with executives to determine what the review cycle should be for their organization.
Ok, now that we’ve got the eyes of the people, we’ve given them direction and they’re protecting your information, now what? You need to select tools to improve the efficiency and scope of this protection.
Technologies are not an end in information security; they’re a component of information security. They should be selected to work with your people, policies & processes.
Technology should be used to streamline and augment protection mechanisms – An administrator cannot physically review and approve thousands of e-mails that come into and out of a company. But technological tools can do this very easily. In those cases where an information security function is financially not viable, is too complex to implement in process, or too resource constrained to maintain a good security activity you should consider a technology solution.
Technology may require policy and process changes – The technologies you choose could influence how people securely access sensitive information. As technological changes occur, training and policy & process changes may be needed.
Technologies are only as good as their configuration – I read vendor promises of 100% compliance, elimination of fraudulent activities, etc. Well in theory maybe, in reality, not without a lot of work. These tools have not been developed solely for the use of your company. They need to be configured, or mapped, to your unique requirements. Best practices and default settings rarely provide the optimal protection of information. Don’t deploy any solutions until you’re satisfied they work as well, or better, than how you protect your information today.
Remember, technologies don’t get the blame when things go bad, you do – Treat technologies as tools. Just like a bad carpenter, a hammer in his hand may not product the results you expected. Relying on technologies to do your job is a fatal mistake; they can only go so far in providing information protection. You are ultimately responsible to ensure the protection of your company’s information.
In the end, people, policies & procedures and technologies need to work in conjunction with each other. One of the main activities of a security manager is to keep these three in proper balance. Only when they equally work together can you feel comfortable that your information security activities will support the needs of your company.