Security is a Matter of Policy

Information Security
Security is a Matter of Policy

By Teri Robinson

If any government agency doubted the need for and importance of an airtight security policy, the recent porn scandal at the Securities Exchange Commission was a dramatic wake-up call.

Agencies are well aware of threats to their security and have made it a point of urgency. In a survey conducted by the 1105 Government Information Group last fall, the 109 respondents consistently ranked security among their top three main concerns and almost always placed it first on agency budget priority lists. Sometimes the biggest threats to security come from within and agencies must take steps to ensure that employees know the rules and play by them. Most survey respondents, 85 percent, said their agencies conduct regular IT security compliance training.

For all the talk surrounding information security, as the SEC debacle has shown, policy and enforcement have lagged far behind the growing threats from both rapidly changing workplaces and technology advances. In past surveys conducted by the 1105 Government Information Group, respondents consistently said they knew their agencies had a security policy but many were simply not familiar with it. That must change if agencies are to protect the information that passes through their doors.

Setting IT Straight
There are a few steps that an agency should take to build and enforce a security policy.

Review existing policy. There’s no need to re-invent the wheel. Agencies should first assess existing policy and determine where the holes or vulnerabilities might be, then fill the gaps. A security policy should be solid but also flexible enough to accommodate changes in work environments and technology.

Socialize. Cruising porn on government computers is a clear violation of any agency’s policies, security or otherwise. But what of Facebook, YouTube and other social networking media? They can help workers connect with citizens, disseminate information, become more responsive and help agencies meet President Obama’s mandate for more a more nimble and transparent government. Today’s government workers are armed with technology and unprecedented access to outside sources. Any security policy must include very specific guidelines for accessing and using social media at work.

Assign responsibility. By now, agencies understand that policies are more easily adopted if someone is in charge. In an 1105 Government Information Group survey last year, 87 percent of the respondents said their agencies had a Chief Information Security Officer. And a recent study by the Information Systems Security Certification Consortium Inc. found that the CISOs have gained authority and do believe they are having a positive impact on their agencies.

Train, train, train. Security threats change and so do policies, making it crucial that employees are trained regularly regarding security guidelines and agency expectations.

Enforce the rules. There should be clear consequences for security violations and an agency must follow through with the stated reprimands and penalties.

Ramp up Resources.
A strong security policy needs the proper technology and human resources behind it. Security officers need the most current technology for monitoring and ensuring compliance. And training as well as enforcement requires staffing up. But budgets are tight. Judicious use of tech budget dollars and discrimination when purchased new products and services can keep costs down. Many agencies employ contract workers to help with training and enforcement.