Systematic security

Protecting your IT infrastructure requires translating security policy into people, processes and technology.

If you walk into any of the seven Penn National Insurance locations across the U.S. after hours, you may find more than cleaning personnel. You may spot Tom Miele scanning desktops, looking for passwords on sticky notes, placed under mouse pads, keyboards or taped under desks.

When the information security manager catches employees storing passwords, he drills them on company policy and makes them aware of their responsibility for being entrusted for business data. “They are the first line of defense. It’s up to them to protect that information,” Miele says.

Users are key to maintaining information security, and experts say security awareness training helps people to mitigate the risks. Protecting electronic assets requires a security policy that outlines the process for managing information access. While security tools and auditing practices help control the policy adherence by employees and business partners, policy updates are crucial to maintaining a solid defense as business needs change and new access methods arise.

Penn National rolled out security awareness training to 900 users at its headquarters in Harrisburg, Pa., and six other locations in 2001. Now new users complete online training as part of the employee orientation program, and everyone signs an annual security compliance statement.

The directors of infrastructure and computer operations, CIO and business leaders all provide ongoing input for updating the insurance firm’s security framework, Miele says. A team approach to policy design ensures reasonable data access methods, essential auditing procedures like internal checks and external network penetration tests, and security tools such as encryption, antivirus software, and host- and network-based intrusion detection systems that properly mesh with network architecture.

While the audit department staff focus on managing telephone, fax, e-mail and Internet data access, the legal team at Penn National works to clarify company privacy commitments that outlaw unauthorized downloads of data to diskettes or PDAs.

Shoring up security puts ownership on business managers for deciding which employees have a need to access the Internet or to send e-mail outside the company. “You get buy-in if people are part of building the policy,” Miele says.

Managers need to grant the privileges that are justified by a business need, and policy development should address the uniqueness of different company roles, adds Charles Cresson Wood, an information security consultant in Sausalito, Calif. A vice president of marketing would make the decision about who has read or write access to the customer database, for example.

Wood agrees that employees are critical in the grand scheme of information security. “Users are receiving the viruses over the Internet, and getting the phone calls from social engineers who are trying to get pieces of information that will help them break into systems,” he says. Any user can provide an avenue into the company network, and all who have access to data need to be aligned with the company’s security objectives.

Sound security policies must define security measures in detail, because inconsistency can open holes and provide an invitation for loss within a company. “Policy defines how you install a firewall, which services to allow and which you’re going to block. You could have system administrators in different departments setting up systems in an inconsistent way,” Wood says.

Just as important, policies need to keep up with changes in business objectives or system architecture, such as the introduction of PDAs or wireless technologies. That requires the security policy to be a living document, says Kim Van Nostern, chief information security officer for Allstate Insurance in Northbrook, Ill. A three-person security team routinely investigates and develops changes to the firm’s security policy, and the group receives support and input from other business staff as needed.

Van Nostern says security changes need to be auditable and implemented within reasonable timeframes. In some cases, a change has a significant financial impact. For example, changing a password-reset policy from 60 to 30 days would increase the number of help desk calls, and with the average $30 cost of a help-desk call, and 50,000 Allstate users, even half a percent of those people calling in for help with their password would be significant, she says.

Jim Flynn, security policy and strategy manager for United Parcel Services in Mahwah, N.J., points out that security is a basic factor to consider when implementing a new technology such as an instant messaging application. UPS is currently evaluating how an instant messaging capability fits into its overall security framework, and the technology change requires a security risk assessment, he says.

Security policy development is an ongoing process of access control, authentication and data protection. “Users should know their role in protecting UPS information and assets. They sign off that they understand the compliance that’s expected,” Flynn says.