Creating the Policy
The next step in creating a security policy is to build the policy itself, based on the threat priorities clarified or illuminated by the risk assessment. In essence, this is a matter of identifying the various costs associated with mitigating each of those threats, and selecting a set of strategies for doing so that is appropriate to relevant business needs and budget limitations.
There's no getting around the fact that securing information and IT resources imposes costs on an organization. The costs of hardware and software tools are the most obvious--and can seem the most daunting to a budget-conscious IT practitioner--but they are often the easiest to address. Assessing costs and benefits to fit expenditures within a defined budget, is, after all, what executives are paid to do.
The intangible costs to the user and organization--in efficiency, productivity, morale and training--prove much more difficult to get a handle on. Adding functionality or interoperability almost inevitably adds new vulnerabilities and avenues for attack, and securing those functions usually places burdens on the users.
Allowing users to send and receive e-mail attachments exposes them to attachment-borne malware, but blocking attachments disrupts workflow and can impede cooperation with other organizations. Giving users remote access to the corporate network creates opportunities for attackers to intercept sensitive network traffic or masquerade as legitimate users, but blocking access severely limits employee flexibility.
Because of these burdens imposed on users, a good security policy takes user behavior and responses into account. Users are neither static nor easily controllable. They are intensely aware of their working environment and, when faced with a perceived obstacle, will look for ways to go over, around or through it.
When security measures appear to present such an obstacle, user responses can easily create a greater problem than the one those measures were intended to address. Education, moreover, will not always change user behavior.
Therefore, when creating a security policy, planners should take careful note of the measures that require user cooperation, those that do not, and the ones that fall somewhere in between. For instance, user behavior has essentially no impact on server patching, while password and VPN usage place a great deal of power in the user's hands.
A surprising number of strategies fall into the middle. For instance, companies don't need user cooperation to block instant messenger clients at the perimeter or to filter Web content, but those actions can prompt users to turn to Web-based chat alternatives or anonymous Web proxies as workarounds. This renders the blocking and/or filtering ineffective, and can introduce new threats by luring users to insecure Web sites.
Planners must decide how much they are willing to rely on user cooperation for an organization's security. The more faith they place in the user, the more flexibility and functionality they can provide, but the more precarious their IT defenses will be.
Tenable Security's Ranum argues that by default, users should have no access to any IT resources, with exceptions made for the functionality they must have to do their jobs. "You have to assume that employees will do exactly the things you don't want them to do, because sooner or later some of them will," he says.
On the other hand, PayPal's Barrett argues that the IT security staff's role is to provide users with safe access to as much functionality as is feasible--not to block them as much as possible. "Cars don't have brakes to make them slower, but to allow them to be driven faster safely," he says.
This can prove to be an extremely difficult decision: Both extremes of this trust continuum present clear costs and benefits, but the various points in the middle--where most organizations will inevitably find themselves--present much more complex and murky tradeoffs, with often counterintuitive results. The bottom line is that there is no "right" answer for everyone. Each enterprise has to assess its own needs, its own staff and its own internal work processes to find the best balance.