Security quote of the week

Another article focusing on policies and controls to prevent the use of peer-to-peer file sharing technologies in the wake of the Congressional ethics committee report last week contains the best concise statement we’ve seen in a long time on the problem facing information security programs today. Tom Kellerman of Core Security Technologies is quoted in the NextGov article thusly: “Policy compliance in the absence of a dynamic audit is impossible, [and any] assumption that only insiders can violate policies” is false.

A recurring theme in posts seen in this space is that too often organizations write and communicate well-meaning and appropriate security policies, but then assume that the policies will be followed without implementing any means of enforcement. This problem applies equally to government agencies and private sector organizations, and in some cases is even the result of the sort of risk-based security management approach that organizations should be following. If, however, organizations choose to leave the risk of policy violations un-mitigated, they don’t have much credibility when they express shock that an incident occurred contrary to policy.