As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

If your company is still pondering how, when, or why to implement a security policy, you are not entirely alone -- for the time being.  The management teams in most businesses today are rapidly becoming aware of the importance of implementing a security policy.  The rise in computer crime and the legal ramifications of not having a policy have gone a long way towards educating corporate America on the risks of not having a security policy in place.  In a more positive light, some companies are even considering the implementation of security policies to be a completive edge by reducing the possibility of negative exposure, litigation, and vital information leakage.

However, in order to effectively implement a security policy, it requires the support of the entire company from the top down.  When computer systems are implemented, it is too often done with the ease and functional requirements as top priorities.  In these cases, security is often a second thought and later implementing a new security policy can often make systems more difficult to use or even affect the overall functionality.  This is the primary reason that all members within the company need to understand the benefits of a security policy and why they may need to sacrifice in some ways to reduce security risks.

The follow items reflect some of the important considerations you need to keep in mind and some of the roadblocks you may find in your policy development endeavors: 

Security Budgets:  Justification to Management

Convincing upper management to invest in security is a challenge because quantifying the return on investment is difficult.  Experts can give you insight on the best ways to pitch your security budget needs -- and get good results. If your budget doesn't get approved then you need to consider what are some of the more cost effective options to securing your organization?

You Must Have Good Policy Management and Enforcement

What good is your company’s IT security policy if it is not enforceable?  Security policies must be living documents that shift as the business goals of your company do. That means there has to be a flexible mechanism in place for reviewing and managing that policy.  There must be concrete consequences that management supports if the doctrine in the policy is broken.

HIPAA and GLB Help to Set Standards for Secure Environments

Companies in healthcare, insurance and the financial industry, your company have to be fully compliant with the policies and procedures laid out in The Health Insurance Portability and Accountability Act (HIPAA) and Graham-Leach-Bliley (GLB) acts.   These new standards should be a wakeup call for other companies.  These laws further validate that security risks are real and companies are vulnerable unless they take action to protect themselves.

Legal Ramifications of Security Policies

Would your security policies stand up in court?  More importantly, would they protect your organization?  What do you think a company’s chances are in court once legal action is taken against them in the absence of any security policy?  These are important questions to consider as you ponder starting a policy develop project, during implementation, and while managing your organization's policies.  If your organization were to press charges against an intruder or defend itself against false allegations, you need to be able to stand confidently by your policies -- your job may depend on it.

Employee Monitoring:  Legal Considerations

Is employee monitoring a best practice or an invasion of privacy?  If you don't have a policy that outlines clearly that surfing, personal e-mail and Internet shopping are taboo, who's at fault?  Does the company have to state that they randomly and periodically review user’s computer-use habits?  

Authentication:  Still one of Today’s Biggest Threats

The use of weak passwords is a common vulnerability that plagues most businesses.  But authentication is not limited to passwords.  Authentication can include any combination of something the user knows (password or PIN), something the user possesses (a smart card or token) or a physical characteristic (biometrics). To make matters more complicated, the method(s) you choose should be balanced with ease of use and the level of security required.

Intrusion Detections Systems – Should My Policy Include It?

Intrusion detection systems are one of the fastest growing security technologies, since antivirus scanners and firewalls.  However, many companies are not aware of the real resource requirements and don’t pursue more cost effective means of implementing IDS, such as Managed Services.  Hence, IDS is often added into security polices as a required technology, but the IDS system is never properly managed and therefore is ineffective.  While IDS is a truly valuable tool, if it is not properly managed it provides a false sense of security and therefore may pose additional risk to the company.

Wireless Networks:  A Breakthrough or New Threat?

You know you can not secure your wireless network the same way you secure your wired network, but how can you be assured that the wireless standards used to secure your environment are not flawed.  The advent of 802.11 (wireless) causes’ serious new security risks and no policy should be with rules on the use of wireless technology.