Security must take lead in Web policy

Jan 1, 1998 12:00 PM, Donna Davis

If your organization does not have a formal Web security program, now is the time to develop one.

While Web security may appear to be an Information Services (IS) responsibility because of the technology involved, it is not; responsibility resides with security. Consider the primary missions of typical IS and security departments. IS exists to design and deploy enabling technologies, systems and services based on organizational requirements. Security, on the other hand, exists to mitigate risk to the organization's assets. While IS should recommend and implement technology solutions to satisfy security needs, security should interpret security requirements and establish security policy. Security must take the lead to ensure achievement of an effective and efficient Web security program.

While application of security countermeasures remains challenging, enough versions of Internet/intranet policies and procedures have been published to suit virtually any organization's needs. Because tools such as the Internet have emerged rapidly, many managers may not be familiar enough with them to effectively optimize them within the organization. Solicit management to actively optimize information technology to promote more efficient work and business growth.

Easy as 1-2-3

1. Call management to action by executive direction. Clearly articulate management's responsibilities, arm them with policy, enable them with professional training, andempower them with decision authority.

2. Promulgate understandable and acceptable user procedures that define acceptable use without stifling genius.

3. Provide relevant, accessible tools that facilitate self-governance. Tools proven successful include education and training, posting checklists, network risk management software and current anti-virus software.

Obligate the entire workforce to practice and enforce the highest standards of business ethics in the virtual workplace, and to report known and suspected violations of company policy. Several reporting avenues should be available to personnel through, for example, local management, the compliance/ethics office, human resources, security and legal.

Management responsibilities

Management should ensure Web technology is being used effectively and responsibly, first by gaining understanding of Web technology to help in making sound business decisions. Secondly, they should plan their organization's use of the technology. For example, with proper security, you may find the Internet and intranet allow for inexpensive and effective sharing of program information with business partners, customers and suppliers.

Take charge of authorizing business use for people in your organization - including non-employees. Let the people who report to you know your authorization is required for Internet access. All Internet connections should be established according to company standards. Internet access is accomplished through the firewall; exceptions shall be authorized by security.

Ensure your workforce is aware of business use standards. During work hours, all use must be for authorized business only; any off-hours, incidental use must follow company procedure. Abuse of privileges may lead to disciplinary action, up to and including termination. Concerns should be addressed to line management, your HR or security representative, or the ethics office.

Illegal, obscene, pornographic or offensive material must not be accessed, viewed or downloaded; such material must not be sent via e-mail. Transmission of such material can result in criminal penalties. All Internet use is subject to audit.

Next month:

How to implement an Internet user agreement and an intranet posting checklist.

Addressing computer and information security issues that impact security professionals, the column provides solutions to contemporary business challenges. The author, Donna Davis, is manager of security services and information systems security for Northrop Grumman Corp.'s Electronic Sensors and Systems Division.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue