INDIA COMPUTER SECURITY POLICIES ARE TOO COMPLACENTSecurity Policies: to be or not to be - Express ComputerSecurity Policies: to be or not to be


Jaspreet Singh
Many organisations are complacent with regard to IS in an age when computers and information systems are proliferating at an exponential rate, and the risks are critical

Information Security (IS) has gained greater importance as part of every business’ risk management strategy on account of recent events. Companies are moving to the mature position that security should be integrated into the very fabric of a business. In doing so, IS programmes need to move from being tactical implementations of technology to becoming strategic partners in business.

One of the key elements of the internal control environment within any organisation is its IS policy. This policy provides the high-level framework from which all other IS security-related controls are derived. Many of us assume that nearly all organisations have an IS security policy or something that would qualify as such. This is not the case. According to a 1996 Datapro Information Services Group survey of over 1,300 organisations from America, Europe and Asia, only 54 percent had an IS security policy. This was down from a high of 82 percent in 1992, and was the lowest figure since Datapro began the survey in 1991. The survey also indicated that only 62 percent of respondent organisations had assigned a specific person to be responsible for computer security, and the majority of respondents reported that less than 5 percent of their organisation’s IT budget is allocated for security.

A separate worldwide survey by Xephon of England confirmed these findings. Xephon found that fewer than 60 percent of responding organisations had IS security policies. Of those that did, only one in five was based on external standards, the rest were essentially made in a vacuum.

The results of these surveys are alarming. They indicate that many organisations are complacent with regard to IS in an age when computers and information systems are proliferating at an exponential rate, and the risks are critical. If an organisation does not have an IS security policy, a significant internal control weakness has been identified, and a security policy should be developed and implemented as soon as possible.

Furthermore, procedures should be implemented to ensure that the policy and supporting standards are updated to include new laws and regulations as well as changes in technology and business practices. The policy and any updates should be communicated to all employees on a regular basis (at least annually). Applicable portions of the policy and standards should also be communicated to all contingent staff (vendors, consultants, temps, etc).

Information systems security policy Information systems security policies are high-level, overall statements describing an organisation’s general goals with regard to the control and security of its information systems. Policies should specify who is responsible for their implementation. These are usually established by the management and approved by the board of directors. Because most boards meet only monthly, changes to policies can often take several months to become official. If the change is significant, the board may request additional information or research before it votes on the changes. If the changes are relatively minor, there may not be sufficient time on their agenda to address such minor policy changes. For these reasons, it is important that IS security policy should not be too specific.

For example, the policy should mandate that the organisation provide adequate physical and logical security controls over computer hardware, software and data to protect them from unauthorised access and accidental or intentional damage, destruction or alteration. However, the policy should not specify detailed controls such as the minimum number of characters required for passwords or the maximum number of unsuccessful sign-on attempts allowed before suspending a user ID. If this were the case, senior management would be constantly submitting policy change requests to the board. As we all know, oftentimes controls that were thought to be strong have been rendered inadequate by advances in technology. At one time, five-character passwords were thought to be sufficient for business applications. With hacking software now available at little or no cost on the Internet, passwords of eight or more characters are currently required in many organisations. It is therefore more practical to include detailed IS control requirements in the IS security standards of an organisation.

Policy implementation

Determine the role technology plays in enforcing or supporting the policy. Security is normally enforced through a combination of technical and traditional management methods. This is especially true in the areas of Internet security, where security devices protect the perimeter of the company’s information management systems. While technical means are likely to include the use of access control technology, there are other automated means of enforcing or supporting security policy. For example, technology can be used to block telephone system users from calling certain numbers. Intrusion detection software can alert systems administrators to suspicious activity and enable them to take action to stop such activities. Personal computers can be configured to prevent booting from a floppy disk.

Automated security enforcement has advantages and disadvantages. When properly designed, programmed and installed, a computer system can consistently enforce policy, although no computer can force users to follow all procedures. Additionally, deviations from policy may sometimes be necessary and appropriate. This situation occurs frequently if the security policy is too rigid.

Hints for policy creation

Policies require high visibility to be effective. Visibility aids in the implementation of policy by helping to assure that knowledge of the policy is widely spread throughout the organisation. Make use of management presentations, videos, panel discussions, guest speakers, question-answer forums and newsletters to make your policies visible. Also, the organisation’s computer security training and awareness programme can effectively notify users of new policies. Introduce computer security policies in a manner which ensures that management’s unqualified support is clear, especially in environments where employees feel inundated with policies, directives, guidelines and procedures. The organisation’s policy is the vehicle for emphasising the management’s commitment to computer security, and making clear its expectations for employee performance, behaviour and accountability.

Computer security policy should also be integrated into and consistent with other organisational policies such as personnel policies. One way to help ensure this is to thoroughly coordinate policies during development with other offices in the organisation. Formulating viable computer security policies is a challenge, and requires understanding and communication of the organisational goals and potential benefits that will be derived from the policies. Through a carefully structured approach to policy development, you can achieve a coherent set of policies. Without these, there’s little hope for any information security system