Five basic errors in the privacy policy

Five errors businesses often make when preparing and enforcing information security policies. Some errors seem quite simple, they often happen and cause serious losses .

No policy

In the privacy policy errors, this is a big mistake and in fact may have since no policy until only ' underground policy ' - the kind of policy discussed unofficially by the board, not minutes and not popular for anyone.

This negligence not only weakens security and leads to legal responsibility, but may also violate the provisions of the security policy that has been officially issued in writing.

Of course as soon as the policy is formally drafted, businesses often find that many parts of their systems violate policies. No wonder, because this shows that policy is not only developed around current standards of information technology (IT) activities. That is, in addition to the security policy, businesses must also lead to defects in their current system, analyze the risks, and assess the costs of fixing these defects to suit new policy.

Not updated

Suppose you are not the 'victim' of the mistake, you will realize a key security point: having a written policy is not enough for good security.

Certainly, the business structure as well as the business process will change, so the risks of information security and accompanying regulations will also change. The development potential of the business is always accompanied by risks, so the security policy must always be updated.

Reasons for updating security policies include deploying new technology (or removing outdated hardware and software), new tasks, developing, merging or restructuring businesses to bring data new and user access to the system as well as business pathways or practices - basically, the security policy must be available to protect any change factor.

Businesses that do not regularly review and update security policies are likely to suffer from 'ribs' and are vulnerable to attack, despite their own privacy policies.

Do not track

If you've built a privacy policy and keep it up to date, you've got two steps to 'secure paradise'. However, you can still make other mistakes.

The security policy will become practically useless and legally if the business does not track whether the policy is being followed, or whether the employee has mastered the terms in it. First, in order to enforce the policy, enterprises must be sure that the policy has been disseminated to all employees, regularly organizing training courses for employees, especially when updating policies. Next, to ensure that policies are implemented effectively, continuous monitoring is required.

The most effective way to monitor policy compliance is through data collection and analysis. Collecting and analyzing collected data allows an accurate assessment of what is going on. When an employee sends e-mail documents to a personal account or tries to access data beyond their access rights, or when an outside hacker tries to hack into the server, these events will is recognized. Tracking system and user activity through collecting and comparing data with terms in security policy is the best way to objectively evaluate policy compliance.

'Pure technical' policy

Assuming you avoid the above three 'pitfalls', you can still make another mistake regarding the focus of the security policy.

A policy only includes technical security (such as password complexity, firewall rules, intrusion prevention alerts, antivirus software updates .) that bypass discussion. of people and their activities will make businesses vulnerable to threats such as: abuse of internal authority, personal use of information resources, . Important to identify technical safety and ensure they are enforced according to privacy policies. The policy must include the 'human, process and technical' triad.

As a reminder, the collected data is important for keeping the balance, because of system operation (such as system reboot, automatic updates, intrusion prevention) and user activity. are stored and can be used to compare policies and exhibits as evidence for policy violations or compliance.

Big and bulky policy

A policy must be written in a manner that is understandable for those who are required to comply.

If a policy is written in a solicitor's office and is 130 pages thick, most employees will not understand what it stipulates, and will inevitably lead to violations. Similarly, policies are written too severely and prohibit things that most employees often do to accomplish tasks that will cause employees to disobey mass. Education is needed right before the policy is applied. Thus, establishing a clear and understandable policy from the outset will increase future compliance levels.

We have reviewed five common security policy errors. A security policy to achieve the goal, must be written clearly and updated as required. The policy must cover technical and non-technical areas. And finally, it is necessary to monitor policy compliance.

-----------------------------------
Dr. Anton Chuvakin is a security expert and author of many books.He is currently LogLogic's team leader, a management and intelligence company.He is the author of Security Worrior and a collaborator of Know Your Enemy II, Information Security Management Handbook, and Hackers Challenge 3 and PCI Compliance.