Dos and don'ts: Policing user security policies

Meredith B. Derby, News Writer

There is no standardized, sure-fire way to enforce user security policies. That leaves lots of room for creativity and even more room for error, according to security management expert Todd Lawson.

Policy-based management, or the enforcement of user security policies, is an extension of managing user identity and enterprise access rights. Because there are many approaches to policy management, goals can be hard to define, said Lawson, president and CTO of Orem, Utah-based NetVision, Inc., a security management software company.

To help IT managers define goals and avoid common security enforcement mistakes, he offered these "dos and don'ts" tips.

Do focus on user activities. "Policies must focus on user activities, particularly activities of authenticated users inside the firewall," said Lawson. Whether the users are employees, customers, or partners, most policy violations are still perpetrated by insiders, not by outside hackers. "Internal security holes are usually created by people, not technology," he said.

Don't forget to detect events in real-time. Don't query log files and session data just once a week or even once a day, said Lawson. Proactive, real-time detection identifies policy breaches in time to stop them before the damage is done, he said.

Do establish an ironclad policy breach response process. "Identifying a policy breach in real-time is only partially effective," Lawson said.

    Requires Free Membership to View

"Being able to execute a pre-defined action in response to the policy breach is most critical."

Do set up a three-phase policy enforcement process: correct, alert and audit.

  • First, establish a way to quickly correct or restore what was changed by the policy violation. "The system should effectively disallow an inappropriate action by fixing it or restoring it to its proper state upon detecting the attempt to change it," Lawson said.
  • Then, set up a policy enforcement system that notifies both the user and management when a violation occurs. It must educate the user as to what policy was violated and how to comply in the future.
  • Finally, be sure to log and audit the event to verify what happened, who did it, when it was done and what resulted. "This creates awareness and future deterrent," he said. "It also documents a secure audit trail which can be used as forensic evidence in court if needed to prove that the event took place and when."

Do customize event filtering. "Internal security risks fall into three general categories: mistakes, intentional mischief and user ignorance," said Lawson. Keep in mind that not all events are of the same magnitude. Security policy breaches can range in seriousness from "innocent" to "suspicious" to "malicious," said Lawson. Set up a good policy management process for filtering and categorizing events as they are detected.

This was first published in August 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.