Circumventing Enterprise Security Policies

Interesting article on how employees are circumventing IT Security Department policies.

This of course as we know exposes the company to IT GRC concerns (Governance, Risk & Compliance). A couple hard numbers that jumped out at me.

"80 percent of the enterprises are supporting proxy applications, such as KProxy or CGI proxies, which mask the user's identity and surfing habits from IT monitoring tools."

:...half of the enterprises studied by Palo Alto are supporting Tor or other methods for encrypted "tunneling" through the corporate network. Tunneling enables the user to bypass IT traffic enforcement mechanisms."

A comprehensive security policy starts from the top down with an IT-GRC solution. It then incorporates all the scoring, controls and assessment automation products into a unified view to help expose situations like those identified in this study. Once exposed and the risks understood, the priorities can be set to help quickly resolve these issues.

PCI Compliance not going away - 42% not compliant

My inbox, like yours, is filled with numerous advertisements and spam on a daily basis, but this one actually grabbed my attention! It started out by saying;

"according to VISA, 42% of large and medium-sized US merchants did not reach their respective PCI compliance deadlines. The penalty of non-compliance is merchants incur monthly fines (up to $25,000) until they meet and sustain data security compliance requirements."

Now that is some attention grabbing marketing and I plan to be on that virtual seminar.

Almost half (and that's not a stacked number including small US merchants) is a very surprising number. I looked around trying to find information behind the survey results but to no avail, so I'll be listening on the call for some details and facts to back it up. Being that our IT GRC solution helps ensure that an enterprise is completely compliant with any regulation, I would like to hear what the top 2 or 3 reasons are they aren't yet compliant to see if they map up to what we are hearing.

Compliance costs not slowing down - technology automation to the rescue

Deloitte - Navigating the Compliance Labyrinth offers some great tidbits from recent surveying of financial executives.

• Compliance continues to increase - from 2.83% of net income in 2002 to 3.69% of net income in 2006.
• Primary costs continue to be driven through applying people, not technology to the problem.
• and the kicker from our perspective, measuring compliance performance remains largely a qualitative rather than a quantitative process. Only 55% of financial institutions reported using quantitative metrics, implying a limited application of process management tools and methodology.

Forget the name of the segment (e.g., GRC, IT-GRC, ERM, VM). The bottom line is taking a process management based approach with technology. Commercial solutions (not home grown) that offer enterprises the opportunity to leverage technology automation to reduce people doing mundane/manual tasks producing the result of reduced compliance costs!

Users continue to ignore security policies, while security organizations are overlooking non-technical controls

IT Compliance Institute had an article posted this morning that reinforces the point; "it's not the software/hardware/infrastructure/etc but the people and processes that expose the biggest risks to a company.

The article doesn't reveal who/where the survey was taken but it does highlight some key security items that people usually cut corners on.

• Fifty-six percent said they had accessed office e-mail via a public wireless hotspot
• 52 percent said they had accessed office e-mail via a public computer.
• Eight percent admitted to having lost a mobile device containing corporate information.
• Sixty-three percent admitted to sending corporate documents to their personal e-mail addresses so they could work at home.

There are security technologies out their (e.g., encryption, data leakage) that can help with each item but the challenge is keeping up with other IT technologies being deployed and business demands/challenges the users are trying to productively solve. Bottom line, you can't bypass making sure you have the right policies, procedures and education in place for your users (aka non-technical controls).

After reading this I decided to do some searching around for some type of survey numbers around technical vs. non-technical controls. I didn't see much out there but did come across this ("Is Information Security Under Control') from IEEE Computer Society published in early 2007.

The survey focused in on 80 of the highest quality security controls as determined by a group of experts. From that list of 80 their wasn't a place that specifically counted the number of non-technical vs. technical controls BUT, there were two very interesting graphs.

The first one (figure 2 in the article. - see below) showed the top 10 with the highest level of quality implementation. It revealed that 6 are technical controls and 4 are non-technical controls. Meanwhile, the second graphic (figure 3 in the article - see below) showed the bottom 10 related to quality of implementation. It revealed that 3 are technical while 7 were non-technical.



So just running crude number here shows 11 of those 20 were non-technical controls while 9 were technical controls. The articles goes on to make the statement "...we found that of all 80 practices surveyed, management controls (non-technical controls) had substantially lower implementation ratings then controls in the technical and operational categories... Organizations must realize that a large proportion of information security problems extend far beyond technology and learn to appreciate the role that less technical controls, such as policy development, play in minimizing security breaches' impact on mission-critical operations.

So this begs the question, "when was the last time your security group considered software products that help with managing these non-technical controls instead of just technical controls?" I've talked with numerous enterprises that have installed or are investigating various software products like Vulnerability Assessment, Patch/Configuration Management, Antivirus, SEIM, data leakage, etc. Maybe it's time to do something for your non-technical controls also and consider adding IT-GRC products to that 2008 budget/priority list.