Policy Weakness

Policy weakness is a catchall phrase for company policies, or a lack of policies, that inadvertently lead to security threats to the network system. Chapter 2 covers in detail the importance and implementation of a written security policy, which is the essential foundation of a good security implementation.

The following examples are some of the policy issues that can negatively impact a businesses computer system:

• No written security policy Lack of a documented and adopted plan means the security efforts evolve and are enforced, if at all, in a best-effort manner.

• Lack of disaster recover plan Without a plan, the efforts to fight a network attack—or even a physical emergency such as fire, flood, or earthquake—are left to the judgment and knowledge of the staff on hand. Even the best-trained and most experienced staff can make foolish decisions when faced with an unexpected catastrophic event.

• No policy for software and hardware additions or changes Whether motivated by increasing productivity or recreation, any addition or upgrade to software or hardware can introduce unexpected security vulnerabilities. Adding an unauthorized wireless access point to a network can throw open a virtual garage door to the network and the company resources. Similarly, an unauthorized screensaver might also be harvesting passwords, user IDs, and other information for someone else.

• Lack of security monitoring Even if a secure network is developed, failure to monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. The worst case would be not recognizing that a serious loss had occurred or was continuing.

• Employment policies Frequent staff turnover, lower than typical compensation, and lack of training opportunities can all impact network security by bringing new untested and underskilled employees into positions of authority and responsibility.

• Internal policies Lax business attitudes and practices often create temptations and a relatively safe environment for the opportunist within to ply their craft. This is the “we are all like family here” syndrome. Unfortunately, even some of the best families have a thief in their midst. Similarly, infighting, backbiting, power struggles, or turf struggles can lead to security issues or divert attention, allowing problems to go undetected.