Policies and Procedures

I’d like to posit that a truly secure environment is difficult but not impossible. The primary requirement is not a particular antivirus package, or firewall model, or antispam solution. I’d say the critical item to standardize on is a good POLICY.

Okay, are the normies asleep yet? Okay good. Now I can speak freely. Whew.

Seriously though folks, the policy comes before the process, and the process before the procedures. The criteria for the selection of security products should flow from the policy. The implementation procedure for the products selected is designed according to your standard processes.

What the hell am I talking about? Okay, let me break this down.

Internet security is an ever-escalating cold war. Exploits are uncovered, patches are released- wash, rinse, repeat. All along, the exploit nearly ALWAYS requires a human element for success.

Do you allow unrestricted web browsing for employees? Well the dark underbelly of the Internet awaits. And now with aggregator sites like Reddit dominating traffic charts, you dont have to have 4chan trolls on payroll for your machines to end up connected to really messed up places. In this era of fake news, indy “blog journalism”, there are billions of sites, running on millions of servers, with a limitless variety of security configurations. Which servers are secure? Which are already owned? Hard to tell.

Solve that problem with policy! Dont allow free wheeling internet browsing. Add a few dozen business critical sites to the allow list. If you’re in media or research and you need the full reign of the Internet, do your browsing in a “sandbox” (a recyclable virtual machine). Let the Sandbox VM get owned, who cares? Reboot and youre back in business.

See? Policy can be set once, and the security standards will evolve appropriately from there. I dont care HOW you filter the Internet, just that its not the wild west. We dont care which VM standard you use for the free web, just that you’re not browsing the seventh circle of hell from your well-crafted work environment.

Still not clear? Here’s another example: What about password usage? Are you still relying on a password for security? Thats like putting a Master lock from your high school locker on your bank vault. It ain’t gonna keep out even a marginally motivated crook. Solve it with a policy! Mandate 2-factor authentication, and mandate complex passwords. Like really complex. And for products that still dont support two factor, you could make the password complexity standards so gnarly that staff is effectively forced to use a password manager (which requires 2 factor authentication to operate!).

Get it? We aren’t particular about WHICH 2 factor platform you choose, or its method of adding a second factor- we sleep easier knowing that it’s there. We aren’t choosy about WHICH password manager, we just want you to use one to make things air-tight.

To tie this all together, I say you’ll never have every setting, tweak, patch and procedure dialed in and perfect. Things will keep changing. As a new exploit emerges, IT will have work to do, and users will get a new heads up from IT. But I promise you, if you’ve got a solid policy foundation the work for the IT team will be easier to coordinate (no one fights IT over needing to reboot overnight to apply a patch if the reboots are mandated by policy, and frequent enough to become habitual), and the staff will roll their eyes at the unnecessary warning (because they already KNOW they cannot wire transfer money based on an email from “the boss”)