The Fine Print

The task of developing detailed policy is often avoided because it is seen as too daunting. It is sometimes postponed because “there is no way to predict where information technology will go next.” While this is true, you need specific policies as soon as they become feasible, plus a general policy to deal with emerging areas of concern. For example, consider the fairly recent ability to browse the World Wide Web with a desktop computer attached to the company’s Internet connection. It is now possible to formulate specific policy such as “employees must not use company systems to visit Web sites that contain sexually explicit material.”

However, in companies where employees have, for a time at least, enjoyed unrestricted Web access, such specific policies may be resisted (as though browsing the Web on the company’s dime is a right, just like selecting your own desktop design or installing your own games). But if the company has a preexisting general policy statement that asserts ownership of information processing assets, any restrictions on how PCs may be used can immediately be vindicated and enforced because it is clearly in keeping with that policy.

On the other hand, you have to be realistic. The desktop computing environment is inherently difficult to control and so the most effective policies are those which are understood and accepted by those who must abide by them. Developing policy by consensus is clearly more effective in this environment than policy by decree. To this end, high-level policy statements which establish the company’s right to control its own computers play an important psychological role.

Desktop Security Awareness

It is not enough to develop security policies for desktop systems. Users must be told what the policies are and trained to support them. The ideal situation is a self-regulating work force so that, for example, when Fred in engineering brings to work a game on a floppy disk that his son brought home from school the night before, Mary will refuse to put it in her PC because she knows that (1) it is a violation of security policy, and (2) it exposes her PC, and thus the company LAN, to the risk of virus infection; and (3) LAN downtime and person-hours consumed by virus disinfection have a negative effect on company profitability, which in turn has a negative effect on her earnings and employment prospects.

Raising employee security awareness to this level requires a significant training effort, but it is money well spent relative to more technology-oriented solutions. In an age of universal computer literacy it would be foolish to rely solely upon high-tech security systems, since there will always be people with the skills to challenge such defenses. You can reduce the incentive to mount such challenges by eschewing policy dictation in favor of consensus-based policy making. If employees understand and thus “buy-in” to the policy, the technical defenses can be concentrated in the areas of greatest effectiveness.

Determining those areas is an ongoing process which depends upon a different type of security awareness: that which you cultivate as a security professional. It involves staying current with the latest trends in computer insecurity, for example, new virus outbreaks, newly discovered operating system vulnerabilities, and so on. You maintain this awareness by subscribing to industry publications, participating in online forums and mailing lists, attending security conferences, and networking with fellow security professionals.

PHYSICAL SECURITY: DESKTOPS AND LAPTOPS

Efforts to thwart computer equipment theft are a good illustration of the importance of security awareness. For example, do you know the total value of desktop computer equipment that is stolen every year in North America? The answer, according to SAFEWARE, the Columbus, Ohio-based computer insurance specialist, is quite staggering: more than $1 billion. Consider some of the security implications of desktop computer theft:

•  All data on a stolen hard drive that was not backed up is now lost.

•  No data can be accessed in a timely manner while backups are restored to replacement equipment.

•  Certain components, such a custom cables, are hard to replace if stolen.

•  Most PC-based systems depend upon a very specific configuration of hardware and software which may be difficult to replicate on replacement systems.

•  Unless it was encrypted, anyone who receives a stolen PC has access to the data stored on it.

•  If the stolen PC is recovered it is very hard to know whether or not someone made a copy of the data that was stored on it.

Obviously, your information security policy should mandate that backups of all data be available at all times (this typically requires off-site backup storage as a defense against backup media being stolen along with the systems backed up thereon). However, even if you are in compliance with this lofty goal, backups cannot solve every security problem. If a competitor obtains copies of your trade secrets by stealing your computers, having a backup copy is not much consolation.¹⁰

---

¹⁰“Someone broke into the offices of Interactive Television Technologies, Inc. in Amherst, New York, and stole three computers containing the plans, schematics, diagrams and specifications for proprietary Internet access technology still in development but conservatively valued at $250 million.” Reuters, 1996.

---