Put it in writing

May 1, 2001 12:00 PM, By Ben Rothke


         Subscribe in NewsGator Online   Subscribe in Bloglines

  • Milton spends his day sending instant messages to his family and managing his stock portfolio.

  • David administers his anti-death penalty web site (which he hosts internally on a production web server) and posts political messages on Internet news groups.

  • Josh is actively conducting a job-search and has been posting his resume on scores of job sites.

  • Chris visits adult web sites and exchanges images gleaned from his surfing with acquaintances from around the world.

While the previous scenarios are fictitious, they are based on real occurrences. Such scenarios occur in thousands of companies every day.

Let's imagine how the scenarios might play out:

Other employees have complained to the company's IT staff that the bandwidth on the high-speed Internet connection is so bogged-down that they can't get their work done. An analysis shows that the Internet connection is operating at 90 percent utilization. Running some scanning software shows that the above four employees (representing less than 1 percent of the workforce) are using roughly 85 percent of the bandwidth. The director of IT then decides to take action.

After reviewing the logs and supporting analysis documents, you confront the individuals. They admit to the accusations and are immediately terminated.

Instantaneously, productivity goes up, and the bandwidth issues are history. But a few weeks later, an intimidating and threatening letter arrives from the terminated employee's attorney claiming that his clients were unfairly terminated.

The Gang of Four, as the press now calls them, are suing the company for millions of dollars in compensatory damages. The essence of their legal argument is that since there were no corporate information policies in place explicitly prohibiting the activities that they were fired for, the company had no right to terminate them. Not only are they suing for immediate reinstatement with back wages, but for emotional duress as well.

Is such a lawsuit possible? “Yes,” answers Ronald Coleman, a partner at the New York-city based law firm of Gibney, Anthony & Flaherty and an expert on computer related law. “While the suit might not succeed, it could raise an expensive — and unpleasant — prospect that the only course of action will be a costly settlement.” The alternative? “A clear written policy and confirmation from employees that they have read it,” says Coleman. “If a well crafted policy is in place, few plaintiffs' employment lawyers will take on such a case — and even fewer judges will let it survive an early motion to dismiss.”

The need for information security policies

Companies need information system security policies for the same reason regulation in general is needed; to ensure a safe and sound infrastructure. For companies that want to deter employees, such as the ones mentioned above, policies are the first step in ensuring that corporate assets are not squandered.

By way of analogy, when a powerful earthquake hits California, scores of people die, in addition to collateral structural damage. But when an earthquake with the same magnitude hits a third-world country, why do tens of thousands of people die? Why are entire towns reduced to rubble? The answer is obvious: California has a well-developed, organized and enforced set of building rules and regulations. These rules take into account the risk of earthquakes, and all buildings are required to be built do deal with that risk.

Countries that don't require the same set of stringent building rules and regulations may save on initial construction costs, but when disaster strikes, the effects are horrific. Unfortunately, the state of computer security, and corresponding policies and procedures in most U.S. organizations, are much closer to that of third-world countries.

According to a recent survey, 75 percent of companies do not keep security policies current and only 9 percent of employees understand what their company's security policies are. Deficiencies in policies create huge vulnerabilities and risks to the companies that lack a strong security statement.

While the need for information security policies is obvious, which policies to choose is not always so readily apparent. As networks, intranets and web servers are being deployed throughout companies at an explosive rate, they are usually being deployed in an insecure manner. Given that these systems are often being deployed for mission-critical applications, policies are a compelling necessity. Furthermore, given the nature of Internet time, the systems must often be built within unreasonably short time-frames. Security policies, which are a critical aspect of an information security endeavor, may not be rolled-out with these systems.

Lack of policy is an urgent problem considering that the threats of cyber attacks are real and on the increase. Not a day goes by that some corporate web site is not hacked. Large multi-national companies need to realize that the question isn't whether a cyber-attack will occur, but when. Policies enable companies to be better prepared when the inevitable attack occurs.

When the term Electronic Pearl Harbor was first coined, it was thought of as a farce. Now, all branches of the U.S. armed forces are actively involved with digital warfare and its repercussions. The FBI, CIA and other federal agencies see the digital threat as a real and significant danger.

Benefits

Information security policies afford myriad benefits. Some of the most compelling are:

  • Financial — Mishandling of information systems (both intentional and unintentional) can be extremely costly. Policies ensure that systems can be used as they were designated.

  • Security spending — Information systems products (contrary to the marketing literature) can't do magic. Without policies, products often exist in a vacuum.

  • Confidentiality, data and trade secret protection — Confidentiality policies are required to maintain appropriate trade secret protection. If employees do not know what is confidential and for internal use only, they can't be expected to keep it secured. In fact, in the absence of any type of policy, successfully prosecuting an employee for violation of trade secrets is extremely difficult.

Policy 101

The following four questions can provide an indication of how necessary polices are.

  • Do your employees handle information that is confidential, proprietary, or private? If so, they definitely need policies on how to protect that information.

  • Do you have corporate Internet connectivity? If so, policies are needed to define how Internet access is to be performed, and what information is appropriate to be released to the public, and how your corporate name may be used. Many companies have been embarrassed to find that their employees post racist comments to news groups while using a corporate email account.

  • Does your company have trade secrets? Trade secrets are the lifeblood of many organizations. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.

  • Have acceptable use policies been created, including disciplinary actions for lack of compliance? Policies are needed to define what uses of information systems are acceptable and unacceptable. While acceptable use may seem obvious, policies are nonetheless required if disciplinary actions are expected to be taken.

Not just policies, effective policies

It is not enough to merely put policies in writing — there must be an infrastructure that supports their use. Even the best written policies are useless if they are not consistently enforced. “Having a policy that is selectively enforced can be worse than having none at all,” says Coleman. “That is why the policies we draft for our clients are practical. They ‘breathe’ — so they can work. But if a court believes you are enforcing a policy selectively and using the policy's terms as a pretext to fire employees on possibly illegal grounds, you can lose the case, gut the policy, and wish you had never gotten that Internet connection.”

Companies need to develop workable policies. “Blanket statements such as, ‘No personal use of Internet resources’ are worthless,” says Coleman. “They rank up there with, ‘No personal use of the telephone.’ The Internet, after all, is just another communication device. It is better to work with the human resources manager to outline specific areas of forbidden use, and to craft a formulation of “abuse.” That provision may not draw a bright line in every case. But it has the advantage of remaining enforceable when the company needs it.”

Conclusions

Information security policies are the building blocks of an effective information security infrastructure. Organizations that are serious about information security should have a comprehensive set of security policies and procedures.

For the record

About the author

Ben Rothke, CISSP, is a senior security consultant with Baltimore Technologies and can be reached at ben.rothke@baltimore.com.

Policies made easy

A tool to help the information security professional create policies is Information Security Policies Made Easy by Charles Cresson Wood (www.baselinesoft.com). The book includes more than 1,000 pre-written policies accompanied by an explanation for each and includes a CD-ROM of everything in the book. PentaSafe Security Technologies (www.pentasafe.com) has integrated the book into its VigilEnt Policy Center (VPC) product. VPC uses the hard-copy policies from the book to automate the creation, distribution and management of the corporate security policies.

Four other useful items are:

Solsoft NP from Solsoft Inc. (www.solsoft.com/products/index.html). Solsoft NP is a powerful software tool that can be used to deploy and manage network security policies.

Computer Security Policies and SunScreen Firewalls, Kathryn Walker & Linda Cavanaugh, 1998 Prentice Hall, ISBN: 0130960152.

Information Security: Policies and Procedures: A Practitioner's Reference, Thomas Peltier, 1998 CRC Press - Auerbach Publications, ISBN: 0849399963

The E-Policy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies, Nancy Flynn, AMACOM ISBN: 0814470912

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Today's New Product

Product 1 Image

Axis H.264-Based Video Systems

Axis Communications has introduced a new generation of network video products built on its in-house-developed ARTPEC-3 chip, which allows integration of in-camera processing for megapixel video, H.264 compression and video analytics. By using the H.264 compression format, the systems save up to 50 percent of storage and network bandwidth compared to MPEG-4 compression and up to 80 percent compared to MJPEG. This allows for more cost-effective video surveillance systems and simplified deployment and management of large-scale video systems.

To read more...


Govt Security

Cover

SUBSCRIBE

This month in Access Control

Popular Stories

Resources

Webinar

Mass Notification Systems

Join AC&SS and ADT as they discuss the crucial role of mass notification systems before, during, and after emergency situations.
March 26 at 2pm ET

Register Now!

Back to Top