Networking Special: The next generation

Go for conceptual, tailored security policies

Sng Chee Khiang / Singapore

If you are designing security policies, here is a pointer: conceptual and tailored security policies will be more readily accepted than policies that are rule-based, and which encompass the whole organisation. Toh See Kiat, a Singapore representative to the ICC Commission on e-business, IT and Telecoms, and director of Goodwins Law Corporation, said that with conceptual security policies, employees can understand “the principles behind the policies, and are more likely to comply.”

“A rule-based and one-size-fits-all security policy may not be relevant to some employees, and may in fact hamper their work. They may then not comply with the policy,” said Toh.

Due to the increasing number of regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), there is also a need for companies to align their security policies with their business strategy. The way to do so, suggested Vince Steckler, vice president Japan and Asia Pacific, Symantec, is to put security under the purview of the CFO, instead of the CIO. “The CFO is usually someone who has been trained in accounting, and he or she will be better placed to assess and manage risk,” said Steckler. “The CFO will also have the clout to drive compliance with security policies.”

He added that companies also tend to make the mistake of deploying security technology without having a policy to provide guidelines. “Only if systems are being used in accordance to standards and patched according to policy, can companies better understand their security and risk posture, use current security resources more effectively, and plan and prioritise for future security spending,” said Steckler.

This article first appeared in Asia Computer Weekly