Four weaknesses exist with virtually all security policies that cause many of them to collapse under their own weight. By not addressing these issues, you can virtually ensure that your security policy will be unenforceable and unusable by most if not all your users. The four reasons why security policies fail are as follows :
Security is viewed as a barrier to progress.
Security is a learned behavior.
Security is rife with unexpected events and occurrences.
Your security policy is never finished.
This is perhaps the biggest barrier to a successful security policy and should not be underestimated. Because security policies are designed to secure resources and mitigate threats, they are often at odds with the users and the resources they are trying to protect. There is an old joke about how securing a network is a triangle with three choices ”security, functionality, and usability ”and you can only choose two of the three. Although it probably isn t quite that bad, it isn t that far from the truth either. In some cases, these are technical issues that can be addressed by technical solutions (for example, implementing a different method to perform a task that doesn t interfere with the usability of the resource). In other cases, this is simply a people issue for which technical solutions are often not appropriate. Such cases require tact and communication to work through the issues, and this includes the necessity for you and your users to make compromises in many cases. Your users will only accept so many interferences to how they need to work, or think they need to work, before they will give up and stop paying attention to the security policy, ultimately dooming it to failure. One method to address this, however, is training and education.
Security is not instinctual. Securing resources is something that needs to be taught to your users, and it needs to be periodically reinforced through training to ensure that your users are kept up to date on methods to secure their resources in accordance with your network security policy. You need to teach your users to understand the value of the network resources so that they understand the value in protecting them. In educating your users, you can eliminate the perception that security in general is a barrier to progress.
You have to be able to expect the unexpected; the more complex a security policy is, the greater the likelihood that the security policy will fail. There is simply no way you can address every user s every need and still provide a secure environment. You have to expect certain failures (as well as certain disasters) to occur, remaining constantly vigilant so that you can react accordingly and update and change your security policy as required. This leads us to the next section.
No matter how much effort you put in, your security policy is never finished. A security policy is a living document, and you must constantly review and update the policy to address changes in technology, system failures, and even policy issues that cause the security policy to become ineffective . Don t wait for your security policy to stop being functional before you decide to review it.
So how do you prevent your security policy from failing? It s relatively straightforward if you always remember that there is no perfect policy. Here are the steps you should follow:
Identify and plan for the natural weaknesses that exist in your security policy.
Educate your users to ensure that they understand the value of protecting the resources and why they play an integral role in the security process.
Perform regular reviews and audits of your security policy to ensure function and compliance.
Most important of all, make corrections when needed. Don t be afraid to say, Well, that didn t work, and make changes accordingly.