|
|
|
Write Security Policies to Ensure Compliance, Expert Says A serious problem of many information security policies is that management often has no idea if staff and systems are complying with these policies, according to one security consultant. In an article on SearchSecurity.com, information security consultant and author Charles Cresson Wood says the lack of connection between a security policy’s intention and its implementation is "in large measure a reflection of the compliance auditing technology being used to support information security." He says those people responsible for writing the information security policies should push management to consider the implications of using different compliance auditing technologies. Cresson Wood says the first step is to distinguish what type of control environment exists in a company to determine "the extent to which compliance exists." He distinguishes between three types of control environments. The first is "built so there is no need for periodically gathered compliance data." In this type of environment, you will need good problem-reporting systems, but not compliance checking," he says. The second type "provides indicators that can definitively show whether security policies are being observed," he says. "For example, a systems administrator should be following established policies and procedures when configuring operating systems, including installing patches and upgrades. Whether this has been done can be readily observed with vulnerability identification software." Cresson Wood’s third type of control environment "has few definitive types of evidence that can be examined to demonstrate compliance," making it an environment where management will "never know whether workers are observing [security policies.]" He advises companies to, whenever possible, dictate the use of controls that don’t require compliance checking through their information security policies, and don’t skimp on initial security costs. Companies who do, he warns, "will pay later because compliance checking will be difficult and relatively expensive."
To read the full article, click here: http://searchsecurity.techtarget.com
|
