Blogger: Randall Gamby
Across the different security technology presentations given this week at Catalyst, one common theme has been the important role of policy. As people hear about new and better technologies and how they can be integrated into their existing infrastructures, they should take the time to examine their policies to make sure they keep up with the solutions being considered. Questions to ask:
- When did we review our policies last?
- Do we have not enough or too many?
- Will they still be valid?
- Are there other influencers on them?
But while changes will most likely be needed for many current policies, a question that often isn’t asked is, “Are they enforceable?” As enterprises create policies based upon what users “should do,” can the security team validate that they “did do” what was asked? For example, a common policy is, “All sensitive data at rest must be encrypted.” So this means you must encrypt your Active Directory, your e-mail storage, every production database, yes? That's probably not happening. So if the enterprise has no way to implement the policy, then it ultimately is not a valid policy and needs to either be modified or the enterprise needs money, resources and time to conform to the policy.
The social effect on the user population also needs to be considered. Essentially, the enterprise is teaching users that they don’t have to conform to this policy, so maybe they don’t have to be conformant to others on the books. Not a good lesson to teach them.
So as the Catalyst attendees go back with “dreams of technology sugar plums dancing in their heads” don’t forget that good governance with valid processes should be skipping around the edge.
