With Beth Cohen, an advisory analyst for The Advisory Council.
Question: What is involved in setting up a security policy?
Cohen: Developing a security policy is similar to the process of developing a business disaster recovery policy. The security policy is not just setting up a firewall and antispam filters. It goes into determining what data is important for the company and how it should be protected. That's a decision made at the financial, legal and HR levels -- and the executive level. An executive has to sponsor it, particularly with regulatory issues coming up. And of course another big issue is social engineering, which is the biggest hole in any company's security. It's the ability to pose as IT technical support [for instance]. If I call up someone in the company and say I'm calling from the help desk, and that there is a problem with his or her account and ask for the password, probably 80 percent of people will give the password. But who's to say I am actually from tech support? That's a training issue. It's a big component that often is overlooked. You can throw technology at a problem, but if users don't understand the issue, [criminals] can still get around technology.
Question: It sounds like much of what goes into a security policy doesn't directly involve technology. What must the mindset be for creating a successful policy?
Cohen: Frequently, people make decisions without creating a policy. They need to make a policy first. For example, if you are considering putting in a VPN solution for the staff and users to access various components or systems … the latest VPN application may not be the right solution. There are a number of technical solutions for creating VPNs depending upon the policy. You may choose one over another. For instance, if you don't want to give suppliers and customers full access, you may choose a SSL VPN rather than a vanilla VPN.
Question: What are some of the questions and issues that pop up once you start thinking in terms of policies and not just technologies?
Cohen: Using a firewall is a given, but how should the firewall be used? And what's happening with increasingly global and dispersed companies? What "inside" and "outside" the company means is more and more difficult to determine. IBM, for example, has a very mobile workforce, a very large number of employees who work at home. If you work at home, are you inside the company or outside the company? I still find so many IT people are just not business people. You have to change your perspective. Security people tend to say, "We'll lock it down and everything will be OK." But that costs money, so there are risk tradeoffs. Security and IT [executives] need to understand and business executives need to understand as well. The main point that I'd like to get through is that it is important to think of it as a project, a business issue beyond the technology. Don't let the technology drive the decision making process.
This 3 Questions originally appeared in a weekly report from IT Business Edge.