Today I saw the headline, “Energy gets tough on laptop use” in Government Computer News and I was curious to see that the story was about how the U.S. Department of Energy (DOE) is going to start actually enforcing their security practices by accurately inventorying and tracking their mobile computing devices after having “lost” 1,415 laptops in the past 6 years. The DOE also indicates they are going to start enforcing their security policies and procedures.
Huh? Using reasonable controls, such as inventorying computer equipment, is getting tough? Isn’t it just good, basic information security actions?
And actually making personnel follow the policies and procedures is getting tough? Isn’t this just smart management?
The sad truth is that so few government agencies, and a large portion of all organizations for that matter, have good, basic, comprehensive enforced information security policies and procedures in place that when something, that should have been done from day one, is now being implemented and enforced it is viewed as “getting tough.”
It’s too bad that implementing reasonable information security policies and procedures, that protect the business, is viewed as getting tough. It will be great to get to the day that your business leaders view information security as getting smart instead.
“Since his appointment in 2005, Bodman [DOE Secretary] has recognized that ‚Äúmanagement deficiencies have been an issue throughout the history of the department,‚Äù Barnett said. ‚ÄúHe has been working to fully identify weaknesses and correct them at their source‚Äù in regard to computer inventory control. Barnett added that the laptop issue is ‚Äúis something that has been developing over many years.‚Äù”
This points out the need for consistently enforcing the policies and procedures. It appears that managers recognized that there were no sanctions being applied if they lost a computer here, a laptop there, so they put their attention to other matters without much worry. After all, not following procedures saves them time, and if no one is concerned enough to enforce the procedures, they must not really be that important, right?
There is a snowball effect when policies and procedures are not consistently enforced. Manager B is diligently following procedures, but then finds out Manager A doesn’t and has never had any bad things happen to his career as a result. So, heck, since so much time will be saved, Manager B stops following the procedures too. Then Managers C & D find out that you don’t have to follow procedures, so they stop following them too. Soon Managers E, F, G, H, all the way to Z have also stopped following security policies and procedures because no one else is following them and there has been no executive leaders have lowered the boom on any of them. Soon no one is following security requirements.
As a result, policies and procedures that may be the best in the world are worthless because no one is following them.
It takes a significantly larger amount of time to backtrack and try to get people back on board with following information security practices than it is to enforce them from the very beginning. Not only this, but during this time of ignoring the requirements the business is vulnerable to multiple security threats, and the organization may have experienced significant losses, including lost customers and damaged reputations, while no security was being followed.
Some of the lessons to take away:
* Information security requirements must be visibly and consistently supported by the top organizational leaders.
* Personnel must receive ongoing training and awareness for the security requirements to not only ensure their understanding, but also to establish accountability for them to follow the requirements.
* Policies and procedures must be consistently enforced on an ongoing basis.
Tags: awareness and training, corporate governance, DOE, government, Information Security, IT compliance, policies and procedures, risk management, Samuel Bodman