Blog Contact About
All arrow Misc arrow Misc arrow To standard security polices have the opposite effect?
All
APM
BSM
Cloud
ITIL
Virtualization
Misc
SaaS
Summary
To standard security polices have the opposite effect?
Jul 16, 2009 at 06:19 PM

Security is a part of all IT environments, even if it is just simple passwords and a lock on the data center door.     Most companies (outside of highly sensitive industries) have standard security policies.   These policies, while perhaps being well intentioned, fail to take into account human behavior.   Consequently, it could be argued that the achieve the opposite of what they intend - reducing security.

For example:

Password Settings Most companies have a policy of monthly password changes and require at least a combination of letters and numbers.   What do most users do?  chose a very easy to remember password (since they have to change the damn thing every month) and simply increment the numbers.   Those that don't use such a system end up writing it down, or storing it in their PDA.    Net result:  passwords that are easy to crack, or easy to find
Email Attachment blockers Many organizations block attachments, or remove attachments that meet certain criteria.    They also ban attachments over a rather small size.   Most employees have an email account from gmail, hotmail, yahoo etc, so what do you think they use to send and receive files?  Net Result:  Files are still being transferred, but there is no control, no scanning for viruses and company sensitive information is now on google's server.  
Internet Filtering Many organizations filter websites such as web email programs, forums and so on.   These restrictions fail to understand that users have memory keys and home computers - Net Result:  Company sensitive information on USB keys, home computers and on 3rd party servers
Restrictive Remote Access Policies Most companies offer a VPN connection, but these connections are normally highly restricted - for example only having access to certain machines, being booted off after an hour and not being able to access the local network of the remote user.   Net Result:  employees don't use it and take files home on USB drives, mail them to webmail addresses etc.   
File Transfer Restrictions Many security policies restrict the way that employees can transfer large files.   Net Result:  They use sites like drop.io to share company information internally, or even to customers and partners.   

There are many more examples, but the premise of this article is that when designing security policies, think about the human element. People just want to get their work done with the minimum of fuss and security is about the last thing on their mind. Why not design policies that allow them to do that, but at the same time still achieve security aims like keeping data safe, ensuring that 3rd parties cannot access that data and so on.
2009 www.itsmbuzz.com - All Rights Reserved @ Contact Us