Week 10: Avoiding Security Control Creep


During class discussion this week, one of my peers mentioned that their company seemed to be in an ever-increasing spiral of thousands of applicable security controls. As information security professionals, we often focus on complying with industry best practices to the greatest degree practical, but we need to keep ourselves grounded in the truth that policies are only useful when they are widely understood. Even if the information security department has a strong understanding of the controls in use, it is an uphill climb to effectively educate the rest of the organization. For example, project managers are responsible for bringing some sort of change with each project, and if they cannot understand the applicable security policies then it is very possible that they could end up introducing a vulnerability that the policy should have handled. This same risk extends to the user base: if they don’t have a clear understanding of the security policy, then their behavior won’t be constrained by that policy. In the worst case, they could become frustrated at the complex web of policies and controls, throw up their hands, and make a rash decision because of the complexity.

Instead of piling policies on policies and letting things grow out of control, it’s important for organizations to build a focused information security policy that is based on industry standards and fits organizational goals. By keeping those three things in mind, it’s more likely that everyone from the CEO to the new hire will be more likely to understand the policy—and follow it!

Comments

Post a Comment

Popular posts from this blog

Week 1: What is User-Centered Security?

Information technology professionals are familiar with the cycle: we implement strong security measures, but then receive negative feedback from users due to decreased functionality, additional "hoops" they are required to jump through, et cetera. Sometimes users even use work-arounds which can not only circumvent the new security measure but invalidate other aspects of the system's security. As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password again...
Read more

Week 9: Selling Security Education, Training and Awareness Programs to Users

I’ve frequently heard users complain to one another about the relevance, timeliness, or applicability of the training they just completed while on a break after a mandatory organizational SETA session. As cybersecurity professionals, we understand that SETA programs are a vital part of an organization’s information security posture. Verizon’s survey of databreaches shows that years of SETA programs are having an effect, helping make users more resistant to the temptation to click malicious links and more likely to report them during security audits. However, these connections are not as obvious to our users, who see SETA content as competing with work activities more tied to their core business functions. There are a few tricks I’ve found to help users take SETA training more seriously. First, by tying information security to the core organizational mission. If you can demonstrate to your users that the impact of the time spent learning about information security benefits the ...
Read more