Friday, 16 August 2013

Security policies and standards


Enterprise policies and standards are meant to be the written law on how to implement, use, and monitor a technology, process, and other HR and legal scope items. For the purposes of the book, we will focus on IT policies and standards. These "laws" also serve as a warning to consequences if there is a violation of the policy. For instance, an employee cell phone policy may be created in response to the business request to use personal phones for business. However, with the ability to use a personal cell phone, there may be restrictions on using the "smart" features to access enterprise data, or a requirement to load a mobile device management application on the cell phone. The standard in this scenario may be a requirement of a certain smart phone operating system types an....security capabilities of the platform.

Security exceptions

Indeed, if we have policies and standards we will have exceptions too. Let's face it; it is hard to implement everything by the letter of the law due to complexity, costs, and limitations of software and hardware. There are two schools of thought on policy implementation, one school, only put in policies on what is currently being done or with little effort, the other, write a policy that the enterprise should be implementing. The first school of thought may not be ideal, but upper management may not want to hear that the enterprise is dismally implementing a policy that has been written. On the other hand, upper management that understands security will want to push the enterprise to a higher standard and push for the best feasible policy.

Security review of changes


A formal change management process is not only a requirement for many regulatory and standards bodies, but in general a good practice of due diligence. In the typical implementation of change management there is a process followed to ensure all affected parties are aware of a planned change. This allows the various business units and IT to fully understand impact and properly set the risk level for the change. What happens many times though is the security team is not made aware of the changes in the environment. Sometimes this lack of review is due to reducing the workload for the team and not overburdening them with reviewing countless changes. This can be a serious misstep because teams may not be aware that a change has security implications.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)