Cautious first steps in security compliance

Evolution of a security policy should be approached cautiously and initially in a "relaxed" mode, says Symantec Corp.'s regional product manager, Robert Pregnell. Globalization of business, recent international business failures and "cyber-terrorism:" scares have combined to generate pressure to adopt international security standards -- ISO 17799, Sarbanes-Oxley from the U.S. and for the financial and health sectors Basel 2 and HIPAA respectively.

This is a wise move, he says, but trying to handle too much too soon risks overwhelming management and the IT staff who ultimately have to put the information management section of the standards into practice.

"If you look at (a typical) very broad standards document and immediately start considering how this maps to a Windows 2000 server running Exchange, and so on to every other part of the IT infrastructure, you get in too deep very quickly."

Even assuming you've figured out the technical aspects of each needed change, you then run into the company politics, Pregnell says. "You say to the IT guys: 'Make these changes for security compliance,' and they're likely to say: 'But the boss tells me I've got to deploy the new version of Office. He's my boss, you're my peer -- whose job do you think will get done first?'"

A better way of starting is to get hold of a security assessment tool (Symantec supplies one, of course, but Pregenell says he deliberately avoided coming at the question from that angle; similar tools are available from other sources). They allow assessment against the relevant standards in strict, normal or relaxed mode, with the last typically identifying a few action points to meet the most urgent needs. These will be much easier to manage.

"Implement those changes and you'll learn (on a manageable scale) about the political problems you'll encounter. Then you measure the result of what you've done; and like any refinement process -- like software development -- you go round the cycle again at a more detailed level: assess, implement, make changes, measure." But it's critical at an early stage to "take the bull by the horns and do something," he says.

Among the sorest points of the security compliance workload is patch management. Some of the most frequent security compromises "depend on vulnerabilities that have had patches out for six to 12 months, but the IT guys say you have to test every patch for side effects before you apply it. It's time-consuming and maybe we'll never win the patch race, but we have to get started."

Dealing with the detail is easier when the framework has been well sketched-out first, he says. "It helps to stand back and see the 'big picture'. Then you can make much more informed decisions about security in general."