6.2. You Want Me to Do What?

You can write all the policies that you want — but if you can't enforce them and your users don't follow them, they're useless. With security policies, you need to ensure that you have the appropriate support from across the organization in order to be successful. End users are an important part of this equation, but a host of other groups need to buy off on your policies, so you must account for all of them.

Chapter 7 talks about some of the numerous groups and teams you have to interface with when forming and deploying your security policies. You have to write and review the key components of your policies with these groups.

6.2.1. Being reasonable

Unreasonable policies can easily alienate everyone involved in the security policy process — from upper management to the end user. Never lose sight of the fact that all these people are your customers, and your (not so simple) task is to ensure that they're productive and happy, without risking security.

By keeping policies reasonable, you can actually increase the odds that employees follow the policies (ensuring your ultimate success in the task). The following sections discuss some sample policies, outlining what's reasonable and what's not.

6.2.1.1. Backup

Backup policies are very common these days — corporate data is extremely valuable, yet so much of it is stored on laptops and other PCs that can be lost or stolen, or simply fail. For these reasons, it makes a lot of sense to have a backup software policy. Here are two ways that you might address this requirement:

• Unreasonable: At the end of each work day, every employee must save all newly created or edited files to both their hard disks and a network file share.

  This policy is obviously unreasonable. Backing up their files to a shared drive themselves requires the users to go through an unnecessarily manual process. At the same time, employees may forget or simply won't want to do this manual save. If users don't back up their files, you have no recourse — how can you even tell whether employees are bypassing the policy?

• Reasonable: The company installs backup software on every corporate managed system. The user must not uninstall, bypass, or alter this software in any way.

  This policy is more reasonable than the preceding one, so look to implement this kind of policy. In this example, you simply ask employees not to tamper with their backup software so that automatic backups can continue. Because you're rolling out NAC, you can use NAC to check whether the software is still installed and running, ensuring that you can enforce the backup policy.

6.2.1.2. Passwords

End users have dozens of passwords related to various systems, and users must update and change most of these passwords periodically. People like you, trying to figure out the best possible policies for password management, have put these policies into place.

Today's systems make it simple to set timers and limits on passwords, forcing the end user to change his or her password within the defined limits. But you need to balance end user convenience with security to keep your password policy reasonable:

• Unreasonable: Employees must change their passwords every week. All passwords must have a minimum of 15 characters, including at least one letter, one number, and one symbol.

  This policy is simply unreasonable, and end users won't be able to remember the extraordinarily long and frequently changing passwords.

  Password policies such as this example frequently lead to one of the top causes of password theft — your users start to write their passwords down (putting sticky notes containing their passwords somewhere near their desks, for example) or rely on similar insecure behavior to remind themselves of their passwords. Or they might end up forgetting their passwords altogether, resulting in a lot of calls to the helpdesk, which costs the organization unnecessary dollars.

  
  

• Reasonable: Employees must change their passwords once per quarter. All passwords must have a minimum of eight characters, including at least one number and one letter.

  This policy is much more reasonable than the preceding policy. Some employees might complain about changing their passwords every quarter, but they should be able to deal with this type of policy. At the same time, the eight-character minimum meets current, industry accepted best practices of a reasonable password length — and should cut down on the number of people either forgetting their passwords or writing them down so that someone else might find and use them.

6.2.2. Book 'em, Danno!

Enforceability is a key aspect of any security policy. Regardless of the amount of training, reminding, and retraining you do, if you can't enforce your policies, end users can bypass those policies, leaving your organization with security holes.

Enforceability has two aspects:

• Making it very difficult for users to bypass the policies

• Implementing recourse if users do bypass the policies

When possible, you want to ensure that you have policies that are very difficult for users to bypass. For example, you can enforce a password policy fairly straightforwardly. You simply set your systems so that after the user's password expires, that user must change the password before he or she can access the network. In the case of antivirus software policy, ensuring that every machine has antivirus installed and up to date can get a bit more complex, but quarantine is perfect for one of your NAC policies — allowing you to restrict or even forbid non-compliant machines access to the network.

Before going to management and asking for new people to help deploy and enforce policies, make sure that you have a good idea of the projected cost, the likely tradeoffs, and what might happen if you don't implement these policies. Just don't exclude the cost of enforcement.

6.2.3. Impressing the big wigs

You really need management support for your security policy. Not only do executives hold the purse strings, but they also act as a key ally when you roll out your new policies, and need a big-gun sponsorship or maybe a little extra management motivation to get the masses to readily adopt the new plan.

From a financial perspective, every new policy that you try to roll out has some cost and (hopefully) some benefit. When making the case to management, you need to devote PowerPoint slides to these key metrics.

In some cases, the key benefit of a particular new policy is cost savings. Maybe the policy makes employees more productive or cuts down on the number of helpdesk calls that your support team receives. In other cases, new security technologies bring reduced risk to the organization, justifying spending a large amount of money for those technologies. For example, new policies that protect data on laptops might prevent your CSO/CIO from appearing on the front page of the world's newspapers after a massive data theft or loss incident. You can't easily put a number on the value of such threat prevention, but you need to hint about the value that your data protection policies offers to the organization as a whole.

Management can present your policies to the end users when you're ready to deploy those policies. If you're a network or security administrator, you probably don't have the clout to convince end users about the importance of new security policies. If, however, you have an upper-level sponsor, he or she can be the big gun you need.

6.2.4. Coercing your colleagues

In most companies and organizations, a number of groups are responsible for the design, implementation, and maintenance of the IT infrastructure — including application developers, desktop support groups, network and security infrastructure engineers, and so on. The security policies that you implement impact each of these job functions.

We've seen many NAC implementations go awry because different groups within the organization don't work well together, so we devote Chapter 7 to the topic. You can easily make a statement such as, "All PCs must have backup software installed and running." But you need to communicate this policy to your desktop team to ensure that you can logistically implement it (ideally before you deploy the policy solution).

In fact, depending on your organization and its size, you can often pull the corporate security policy together most effectively and efficiently via committee. Involving several groups not only ensures that everyone signs off on the policy, but you also benefit from the diverse backgrounds and knowledge that these other groups have to offer.

6.2.5. Training the masses

After you put together the appropriate policies and decide how to implement each policy, you need to educate the end users on the policies — how the policies may impact the users and the consequences if the users don't follow the policies.

End user training can be a daunting experience. But with a little bit of creativity, the rollout can go smoothly, with little negative impact.

Most importantly, you need to consider your audience. Are your end users technical or non-technical? If you happen to work in a company in which everyone is up to speed on the latest security and networking technologies, you might be able to train your end users very easily. We're willing to guess, however, that you don't work in such a company. As a result, take a step back and try to think through how a typical end user might think about security policies.

If you're having difficulty figuring out whether your users are techie enough, ask yourself, "Do they think IP is an acronym for intellectual property or International Paper?" Similarly, "Do they think NAC stands for North Atlantic Conference or the National Aerobics Championships?"

Anything about security often seems a foreign topic to users because, to be perfectly honest, most of them don't think about this stuff on a day-to-day basis. Therefore, you need to phrase concepts in common language wherever possible — and make it as fun as possible, too. End users often simply ignore or bury an e-mail that you send about new security policies, so you don't get your message across. Try something more unique, such as posters in break rooms or notices on elevators. Post notices in the restrooms if you think that can help get the point across. Raffles, contests, lunchroom placards, free prizes — it can all prevent future problems and bruised feelings.

Make the message as fun as possible, too. Don't use acronyms and NAC-speak security idioms. Just use conversational language. We don't expect you to become an ace marketer overnight, but a little bit of effort towards making security enjoyable for your end users can pay hefty dividends over the course of the policies.

Like with any policy — from NAC to your rules for your kids — end users are likely to forget over time. You need to have periodic reminders of the policies. At the same time, you need to bring new hires that come into the organization up to speed on the existing policies. Many organizations have new-hire training and/or manuals, as well as periodic retraining or reminder requirements. Many organizations distribute a copy of the security policy (written in plain English) to every new worker. The worker must read the policy and then sign an affidavit indicating that he or she has read and agrees to abide by the policy. Periodically (perhaps annually, for example), the employees must view the updated policy document (if you've changed it) and again confirm that they understand the policies and agree to abide by them.

Figures 6-1 and 6-2 show example posters that you might hang in various areas around the workplace. Figure 6-1 reminds people of acceptable e-mail use, and Figure 6-2 shows the example company's mobile device use policy.

Figure 6.1. This poster tells employees to stop and think about proper e-mailing.

Figure 6.2. Remind employees that their mobile devices need watching.