Security Policy Best Practices

Date July 31, 2008

We're taking on a new client, and their standards requirements are a bit beyond anything we've ever encountered.

I just finished going through a nearly-600 line spreadsheet answering questions about our network's physical and logical security controls. It also included questions about our in-place security policies and what was covered by them. Nothing in the questionnaire was a bad idea to have implemented, but the sum total was a bit overwhelming.

We do have a security policy; it's covered in a page or so of the employee handbook. It's implemented, as well, but beyond that, everything has been done according to a relatively "common sense" approach. To remedy this lack of standards, my boss and I are currently going through the SANS Institute's "Security Policy Project", and I've got to say, it's more overwhelming than the original spreadsheet.

We've accumulated about 15 documents that we think apply to our situation, and we're in the middle of revising them and customizing some of the technologies they cover to work for us. After they get drafted and approved, I get to implement them. I can't wait.

The hardest part will be a change in mindset for the users. I can't wait to see how the operations side responds to this. I suppose it's the price you have to play for running with the big dogs, so to speak.

Which brings me to my question. Does your company have a codified security policy? Do you ever do spot checks, or audits? Do you abide by the policy?

As always, I have anonymous comments enabled, so feel free to comment as such if you are worried about revealing too much about your network.

  • Michel

    From my observations most companies seem to have the same problems.

    management says we need high security
    sysadmin suggests measures to raise security
    developer/users complain about getting less work done

    finally i end up recognizing that im doing the job of 2-3 people and couldnt really enforce all procedures anyway

    But my basic problem is finding and keeping employees who are flexible and will restrain themselves to work within secure guidelines. fast developement and flexibility seem to be tough to merge.

    also with most people who apply the last months its obvious why they still search work and if you train someone a year they seem to like to quit and sadly do. maybe its just to much pressure in my company :) but im getting offtopic

  • Craig March

    I have to say we do but it's one of the those documents that was created and forgotten about... until the auditors visit.

    It's awful really, but that is the reality of a small organisation with limited resources.

  • Stephen Northcutt

    Aloha, if I read the original post correctly you found the SANS policy project more daunting than a 600 item spreadsheet. Can we make contact to understand what we can do to make the information more approachable? Stephen AT SANS.ORG

  • Matt

    @Stephen

    Thanks for the visit, and the comment. The information at SANS was presented very well. The sheer volume of things to go through and pick from is overwhelming :-) I should have been more clear. Your information is presented excellently and has made our efforts immeasurably easier than they would have been without it.

    The initial curve is a steep in going from a few paragraphs to a full-fledged policy, but we're making the effort to do it, and I think it'll be a positive move in the long run.

    Again, thanks, and please, come back and visit anytime.

  • Ben C

    My fine University has several pages of official policy regarding IT security plus untold internal memos, post-it notes, and unwritten rules. What makes it interesting for us is the fact that IT support is largely distributed in the various academic and business units. We're each basically responsible for our own security and FERPA/HIPAA/whatever-else compliance.

    In my department, we're pretty open to giving administrative privileges to the faculty and graduate students: they complain too loudly when you don't, and then the Department Head comes down on you. Unfortunately, you have some people who take an "I don't care if I get hacked, I just want to be able to do my research" attitude (yes, that is an actual quote!).

    We run vulnerability scans using Nessus every week, and I pick through the log files every morning looking for people behaving badly. I think we make enough noise about security that the users generally don't do anything too risky. We'll see what happens in a month when all of the students come back!

  • Bill

    From experience w/ one of my previous clients - management says we need to comply with customer's policy. I come back with the cost of the implementation. Then a lot of pressure comes back from management to answer the questions in such a way as to pass the audit and avoid changing anything.

    This process eventually fine-tuned itself to the point where managament would either fill out the audit themselves, w/o consulting us, or immediately begin the process of asking us how to answer the questions "correctly" and skipping over any talk of change or implementation.

    Security is one of those things that, in my opinion, does not have to be implemented in a "big-bang" event to work. I resorted to picking one or two things during each audit event or security incident. And in addition to the (mostly boilerplate) corporate IT security policy, I started generating, for each project and system, a documentation stanza for security and DR. So even as a small business, our security policy and implementation situation began to improve in steady increments.