Security is a top priority at the Bank of Labor, but the financial institution updates its formal information security policy only once a year, maybe twice, regardless of what's happening in the ever-changing threat landscape.
That's not to say that the union bank ignores emerging threats such as new malware variants or phishing schemes, says Shaun Miller, the bank's information security officer. On the contrary, the organization, which has seven branches in the Kansas City, Kan., area plus an office in Washington, routinely tweaks its firewalls and intrusion-protection systems in response to new and active threats. To avoid fatiguing its 120 users, however, it refrains from formalizing new policies more frequently.
"The purpose of our policies is to be at a high level, not to cover every eventuality out there," says Miller. "We update procedures for tactical day-to-day stuff, but when it comes to our strategic direction on security going forward, we change our policies in a limited fashion so as to not overwhelm users."
The Bank of Labor isn't alone. Given how fast the threat landscape changes, it can be difficult for a company to modify something as rigid as a corporate security model to keep pace with every new attack vector. In a recent survey of 287 U.S.-based IT and business professionals conducted by Computerworld, CIO and CSO, 33% of the respondents said that they work for organizations that have had the same model for information security management in place for five or more years. Meanwhile, 23% said their model had been in place for three to five years, 33% said one to three years, and just 11% said less than a year.
However, 50% of those polled said their organizations are considering making changes to their infosec management models. When members of that group were asked what factors are driving their employers to contemplate a change, the top three responses were concerns about breaches and data loss (cited by 78% of the 144 respondents), technology advancements and upgrades (53%), and regulatory compliance (49%).
How often to adopt infosec policy changes is a conundrum. Companies need to come up with a way to remain flexible, to ensure that their policies and procedures reflect the current threat landscape, yet they can't hand down so many new rules and restrictions that they frustrate users and inadvertently compel them to consider bypassing corporate rules, explains Kelley Mak, an analyst at Forrester Research.
At the same time, companies have to strike a balance between using firefighting tactics to address the most current threats and treating information security policy as a holistic strategy, Mak says. "It's not as simple as taking the data and making a new policy, because you have to make sure information workers aren't upset," he says. "The more restrictions you put in place, the more likely someone is to go around it."
Filling day-to-day gaps
That's exactly what Miller is trying to avoid. The Bank of Labor maintains an information security policy that addresses high-level issues, including the bank's overall stance on security and broad rules, such as a mandate requiring employees to use passwords to access data. The policies, which are put in place only after board approval, don't get into the weeds of the technology or spell out details such as the exact character requirements for passwords (which might change over time, anyway).
To complement the broad policies, Miller's group regularly modifies rules to tackle current security gaps. Most recently, the security team blocked the use of Flash software because of its well-publicized vulnerabilities, and because it's rarely used in business-related websites anymore. "We don't consider that a change to policy," Miller says. "Our board of directors approves policy, and they don't know what Flash is or what it does. It's just an example of a simple, day-to-day business response to threats as needed."
To keep people in the loop about updates, Miller sends email messages announcing changes and explaining why they're important. Saying he often includes links to background information, Miller explains that making sure people understand why the changes are necessary and being clear about the risks has been instrumental in preventing user frustration and ensuring that employees are willing to comply with even with small policy changes.
Test, test, test
Devin Meade, senior systems manager in charge of security at Frankfurt Short Bruza (FSB), says he prefers to keep security policy fluid because the architectural engineering planning firm is relatively small (it has 150 users) and because it isn't directly affected by regulatory requirements. While FSB does have a formal security policy that is approved by the board of directors, Meade and his team make frequent recommendations for new procedures, using a small steering committee of about a half-dozen users to solicit feedback before rolling out the changes to a wider user audience.
"Our standard way of doing patches or making changes to our security stance is to test them out on a machine to see how they work and to roll them out to a representative group of people," he explains. That steering committee then tests the changes to determine what will work and what won't for FSB's users.
For example, Meade and his team recommended bumping up encryption. But during the steering committee's tests, the changes were found to make VPN access too unstable and slow, so Meade's team went back to the drawing board. It was a similar story when the team tried to enforce URL whitelisting and blacklisting to restrict user access to certain "not safe for work" sites. That move, Meade says, didn't work out as anticipated because the technology involved wasn't mature enough at the time.
Only after being approved by FSB's steering committee do infosec policy or procedure changes get implemented across the company. "My job is to inform [the executive team and business sponsors] about what we can do and what the process would be if we made the changes," Meade says. "Because we're a small firm, we can make modifications as the technology changes."
Most organizations aren't as nimble as FSB and don't update security policies often enough, and many don't test-drive changes to gauge what's effective and not too cumbersome, says Forrester's Mak. "You don't find a lot of organizations doing the right amount of testing to identify vulnerabilities, so there's not an accurate understanding of what the effect is on the environment from the human side," he says.
Mak advises companies to create security awareness programs that not only provide direction to employees, but also underscore the importance of embracing a serious security culture.
Getting users on board
That approach will soon to be in place at Fay School. Like the Bank of Labor, the school makes frequent minor updates to its infosec procedures to keep up with emerging threats but enacts major policy changes only a few times a year to avoid overwhelming users, says Joseph Adu, director of technology at the Southborough, Mass., private school, which serves grades pre-K to 9. Adu, who came on board a year ago from the for-profit sector, is drawing on his experiences in the business world as he develops the school's IT policies. Among other things, he's making a concerted effort to help employees feel invested in security.
This academic year, the school's 150 staffers and faculty members will take part in both in-person and digital training sessions that will be repeated annually to cover important infosec policy changes, Adu says. In addition, a new plan in effect this year calls for new employees to undergo security awareness training as soon as they are hired. Infosec training will also eventually be incorporated into the school's new-hire orientation process. That means newcomers will know right off the bat that sharing personal information en masse via email is prohibited, and they will understand how the school classifies particular types of data and why, among other things.
Adu says presenting security policies at the point of hire is a way of indoctrinating users into the corporate culture and makes them feel accountable for upholding security best practices. Also, people are generally more open to direction when they first come on board, so they're more likely to accept and abide by the policies. (The school also holds short training sessions for its 400 students to cover security basics, such as a rule against sharing passwords.)
"We're trying to create a culture where people know they can count on the IT department to keep them abreast of what's going on," Adu says. "But they also need to understand that data security is an important part of working at this [organization] and they have a role. The hardest part is getting people to realize that a lot of responsibility falls on them as end users."
Related video: The state of IT security
This story, "How flexible should your infosec model be?" was originally published by Computerworld.