Let s Not Go There

Let's Not Go There…

The real causes of the museum dilemma were not technical. The real causes were inertia, politics, and poor management. Don't let this happen to your network.

The basic problem was that the museum was operating without proper policies and procedures. Policies and procedures are the foundation for security. Without them, it's impossible to maintain control of security. By their actions and inactions, the museum staff created an environment in which their own network wasn't safe enough to use.

Here's what they should have done instead.

Put Someone in Charge of Policies and Procedures

Someone needs to take responsibility for policies and procedures. If your policies and procedures are outdated or poorly written, do something! Put someone in charge of writing, auditing, and disseminating the policies and procedures. If you have a large company, you may need an entire group dedicated to just that.

Most importantly, make sure that your policies and procedures are followed. Consider that in 2000, U.S. defense systems were subjected to 250,000 attempted cyberattacks. Of the 245 attacks that actually succeeded, 96 percent would have failed had users followed the security protocols already in place.

Delineate Cross-Organizational Security Support

If your company has a security group and a system administration group, you need to clearly define their roles and responsibilities. Are the system administrators responsible for configuring the systems? Is the security group responsible for reporting noncompliance?

If no one is officially responsible, nothing will get done. And there won't be anyone to hold accountable for the problems.

After you clearly define the roles, you need to make sure that each group does what it's supposed to do. Follow through! In this scenario, the security group admitted to being responsible for the policies and procedures. Yet, they didn't update those procedures, write them clearly enough for anyone else to follow, or make them easily available. In short, they didn't do their job. Someone should have noticed that and followed through to make sure the job got done.

Don't Wait for Miracles

The system administrators who were responsible for configuring security had no idea how to do that. Given the poor state of the procedures, the confusion really wasn't their fault. What was their fault, however, was that instead of reporting that problem to management and working to resolve it, they did nothing. Were they waiting for divine intervention on the file servers?

If your company's policies and procedures are unclear, you need to find a way to clarify them. If necessary, get help from management. Don't just sit around waiting for miracles.

Question Processes

One question we never really examined in this audit was whether it should have been the security group's responsibility to write all the policies and procedures for the museum. It was assumed to be their job simply because that was the way it had always been done.

I assume you've all heard the story about trimming the roast. A certain housewife always trimmed off the end of her pot roasts before cooking them. One day, her husband asked her why she was doing that. "I don't know. My mother always did it that way," she answered. She called her mother, who said "I don't know. My mother always did it that way." In the end, the great-grandmother informed the woman, "So it would fit in the pan." Turns out the old woman owned only one roaster and it was too small to hold a standard-sized roast. Of course, her progeny all owned adequate-sized roasters. They just threw away the best slices out of habit because they never questioned the process.

Maybe five years ago, as the system was set up, it really was the best choice to assign policy and procedure writing to the security group. But that doesn't mean that it's still the best choice. Take the time periodically to examine whether roles and responsibilities are still assigned to the best people for the job. Never act without thinking simply because your predecessors did.

Know When to Cry "Uncle"

Corporate living is always a mixed bag of good and bad. As much as we like to pretend we're all above it, there's a lot of petty politics going on. Sometimes, it's best to let the other side win when the battle isn't really that important or when fighting the battle takes you away from your real job. When the battle becomes more important than protecting the data, the only one who really wins the war is the hacker.

Be Responsible

If you're a system administrator, you are responsible for installing and maintaining the security of your system. That responsibility applies even if your company has a security department that handles intrusions, auditing, and policies and procedures. In the end, when things go wrong, everyone is going to turn to (and on) you. Always remember that.

Checklist

Use this checklist to determine whether your company is correctly using policies and procedures to promote security. Can you mark a "Yes" beside each item?

___ Are policies easy to read and understand?

___ Does everyone either have a copy of the policies or at least know where they are?

___ Does someone "own" responsibility for the policies and procedures?

___ Does the policy owner attend security conferences and otherwise keep current on policy issues?

___ Are the policies and procedures updated on a regular basis?

___ Are routine audits of the policies and procedures scheduled?

___ Does management support the policies and procedures from the top down?

___ Are new personnel trained on security policies and procedures?

___ Are reference materials on the policies and procedures available?