Five reasons to review security policy from a new perspective

APT (Intelligent Sustainable Threat), a new business technology, has shifted the focus of security budgets from intrusion prevention to detection and response to young human resources. Many companies and organizations have also encouraged them to review and examine their security policies and guidelines from a new perspective.

According to Gartner, in 2018, 50 percent of organizations in the supply chain will assess the risk of continuing relationships based on how effective the security policies of other organizations in the supply chain are.

Does our policy match the policies of our partners? There are many companies that already have established and operate security policies, such as policies made directly from the beginning, policies based on templates provided by security related organizations or developers. However, "how effective these policies are" is a completely different matter.

According to Evans Data Corp's survey of 1,500 software developers around the world, 31% of companies have formal security policies, and 34% of them have unofficial security policies is.

The golden rule applied to security policy establishment still applies. Examples include sharing the process with all affected stakeholders, using a "language" that everyone can understand, avoiding rigid policies that impede business growth, and making the process practical through testing .

Jay Hei, vice president of Gartner's security and privacy research group, points out that even the new policies may be outdated. In particular, you may need to update the guidelines one step lower than the policy to multiple LoBs, or jurisdictions, to meet various regulatory or geographical criteria. Security and risk management specialists emphasize five reasons for reviewing security policies from a new perspective.

---

1. Ransomware, DDoS, and APT

Ransomware attacks targeting businesses during the January-September period of 2016 tripled. According to Kaspersky Lab, 20% of companies worldwide are affected. According to Verisign, the average size of DDoS attacks in the first quarter of 2017 increased by 26% from the previous quarter.

Security policies in the past focused on how to protect information. We have established policies related to data classification and policies that define the methods to be followed when sharing information on a network. "Now with Ransomware and APT, it's more important to focus on user behavior and the behavior of" bad guys, "said Eddie Schwartz, Cyber ​​Services EVP, DarkMatter LLC EVP, chair of the ISACA Cyber ​​Security Advisory Committee. Stressed.

Julie Bernard, director of cyber-risk services at Deloitte in Charlotte, North Carolina, said, "We need to build and maintain robust security policies to support these threats, The process should be updated more frequently to accommodate changes in the threat landscape. "

---

2. Cloud and IoT block chains,

Other New Technologies Things in the Manufacturing Sector Next-generation tools, such as Internet (IoT) and block chains in financial services, are driving security policy changes.

Bernard said, "We have to keep pace with the ever-changing environment," says Bernard. "The techs at companies that adopt the cloud worry about uptime and security, but what about the policies that follow? If there is no technical competence to block sharing, there is no need to share it, and if so, what information should be shared? People are having trouble sharing it, "he said.

---

3. Changes in user behavior As the number of

employees in the Millennium generation increases, expectations for technology and changes in business practices are being introduced. This affects security policies and standards.

"If you go to Facebook at work and watch cat videos, beware of malware infections!" Instead of providing users with general guidelines for information protection, they should provide guidance that is consistent with the behavior they are doing in the workplace. The behavior they are using, and the behavior of surfing social media on a company's paid laptop computer. Some organizations' security standards and procedures are equally reflected in preventive and reactive measures, which should be taken after an infringement It also includes instructions on what to do " "He said.

---

4. Security tiredness and loose executives

may be tired of following all kinds of rules. Over time, if the "prohibition" in the security policy increases too much, security fatigue begins and this undermines the policy effect.

"As security and cloud computing show, there's a lot of loosening policy enforcement when it's rampant," he said. "Many organizations are using security policies for their use of SaaS. It does not enforce it, it allows it to use anything freely, which makes the policy obsolete. "

---

5. Some of the outdated security policy factors

Hai commented, "We have to look at the policy elements to see if the policy elements are causing actual change, but there are a lot of companies that do not do that, We should keep in mind, "he said.

He suggested a way to organize all the security policies into a spreadsheet, giving them scores of 1 to 5. If one of the two scores is '0', then the performance (except to comply with auditing requirements) is '0'. "The less the number of rules, the more closely people observe it, so if you add something, you have to subtract something else."

---

Policy updates In

many cases, security policies are reviewed once a year, focusing on compliance with regulatory requirements. Some experts, however, stress that standards and procedures should be reviewed on a quarterly basis. "Large enterprises or organizations should review at least once a quarter and review them as needed," said Schwartz. "When threatened terrain changes, when new systems or clouds are introduced, or when new mobile environments are embraced, If you find a sector, you need to see if you need to change the policy. "

All new threats should be treated at the highest level in existing security policies. If not, the security, legal, audit, and compliance (compliance) teams should have dialogue and appropriate action plans and policies in place with management involvement. If you have updated your security policies, standards, and procedures to the latest, you should make it easy for employees to find them.

James Baird joined Vice President of IT Security and Compliance in the American Cancer Society in October 2015, and his first job was to make it easier for employees to find and retrieve organizational security policies. PDF has replaced 1,800 pages with SharePoint's HTML page. Now, you can easily search by topic. We also created a hyperlink to a specific policy-related policies, requirements, or guides.

For example, when you search for the appropriate Wi-Fi usage, you will see the available standards, access points, and branding links and policies. Baird said "

Your voting gives me strength. Thank you.