InformationWeek

According to the InformationWeek Research survey, 36% of respondents have no regular agenda for reviewing their security policies, 17% do so once a year, and 5% never do at all. For policies to fulfill their value, they have to be aligned with key business issues, and that means they need to be constantly updated, and employees must be alerted to any changes. How many companies are more diligent? Eleven percent of survey participants undertake the review process more than once a year, and 26% continuously review their security policies.

What does a policy update entail? It's a lot of common-sense stuff. Firewalls need to be updated and known vulnerabilities in applications and operating systems addressed. And companies should constantly reassess the value of data in certain departments.

For example, what is the impact if the details of a new business strategy, product, or marketing campaign get into the hands of a competitor? These areas need to be quantified to make reasonable decisions on how to allocate security spending. "The organization as a whole needs to be following this circle of continuous improvements," says David Remnitz, CEO of data security company IFsec LLC.

A memo to employees should follow each update. It should outline new procedures, and remind them of the basics--to handle E-mail attachments with extreme caution and to inform the IT staff if they'll need access to the company network from a dial-up connection on their home PCs. The average user has no idea that unprotected dialing into the network could put the entire organization at risk.

Tanya Candia, VP of worldwide marketing for security vendor F-Secure Corp., says part of the problem for getting users to comply with security policy is software complexity and human nature. That's why she advises automating security as much as possible. "You don't want to force employees to have to make security-critical decisions all day," she says. F-Secure's FileCrypto product has a default policy to encrypt every file on a hard disk, so that if a notebook is misplaced, whoever finds it will have a hard time perusing its contents.

"There has to be understanding about security from the janitor all the way up to the CEO's office," Remnitz says. "Security is a very important aspect of doing business in the electronic world."

Return to main story, "It's Time To Clamp Down."