Got your policy in place?

On October 26, 2004, in Security, by

I’m in Pasadena this week at Encase/Guidance software training and one of the key elements they discussed was an AUP.  What?  Don’t know what an AUP is?  It’s your guideline to your employees..it’s called an Acceptable Use Policy.  the SANS.org web site has a whole list of policies that I”ve linked to before. 

So …do your clients have a security policy?  Do your clients require their employees to sign the policy?  Does it document what resources they have the rights to access?  Is it less than 10 pages?  This is approximately the size that will result in 15 minutes of attention.  If employees cannot read it in 15 minutes it’s too long.


I’m listening to a recording about the subject and one of the recommendations they make is to make sure that the boss is aware and in agreement of the policy.  Do you ask your client if they have a policy?  Do you recommend that you help them craft a policy…. one that they can live with? 


One of the discussions we got into today is what is acceptable for one firm, may not be for another.  A guy from a software firm that does databases [and no it wasn’t Microsoft] was saying that they use internal and external IM because for their environment they need this type of “collaboration” enviornment.  So for him, he can’t restrict IM.  Another firm who is an insurance company has to worry about HIPAA and any ePHI can’t go over IM without protection and logging.  So for her environment, IM is not acceptable.  At least not “normal” IM that most of us use. 


I realized today… as I was in the class that had Internet access on the desktops, that I would try out the web based MSN IM and realized that it appears that the traffic for MSN IM goes over port 80.   You know port 80?  What the experts call the universal firewall bypass port? 


It’s clear to me that if we don’t have the written policies in place to help the people know exactly what they can and cannot do, even in our small firms, we’re not properly matching up policies with technology.  Even in our firms, have both in place.  We have risks just like big firms.  Your security policy should be a clear roadmap of what your risks are.  If your clients, if you, have as your biggest risks worms and viruses, if your security policies do not include limitation or blocking of web based email, you are not aligning your policies with your risks.


So the next time you are in your client’s office, ask them what their “pain point“ is… what are the biggest risks they face?  Now have them grab their security policy.  Compare that policy with what they just said their risks are.  Do they line up?

 

Comments are closed.