r7mr7m

October 31, 2009 at 4:43am

The problem with this article is that it assumes all end-users are capable of practicing/caring about the security principles necessary to protect the integrity of the company's systems/data.

Effective IT/IS security policies are those that are implemented and enacted by the IT/IS departments and require as little from the end-user as possible. Most end-users are reluctant to practice and are annoyed by "inconvenient" security policies. You cannot and must not rely on these people to practice safe use of company computers, networks and services.

In my professional opinion this article fails to touch on the necessity of the policy makers to provide technologically-implemented policies/safeguards and expects that end-users can be relied upon to keep every aspect listed, secure. This is not only unrealistic, it is impossible.

Only a few of the items listed can reasonably be expected to fall under an end-user's pro-active responsibilities. The IT/IS departments must responsibly implement security polices enterprise-wide at sever/network levels as the first line of defense. Allow me to elaborate.

Password policies should be part of a domain/enterprise-wide GPO that requires users to meet the following:

   1. complexity requirements (numbers, symbols, etc.)
   2. min number of characters
   3. password expiration time limits
   4. disallowing the reuse of the password for a set time period or number of password changes

Next - Along with the GPO, you must communicate that the user must not share their password, write it down and keep it in locations where anyone other than themselves has access to them (i.e. a safe or locked drawer), etc. Also, the user must change their password if they suspect that it has been compromised.

E-mail Security - All messages should also be scanned upon arrival/departure by an appliance and/or software for spam/attachments and also communicating caution to end-users.

Website access can and should be controlled by some sort of proxy server that is updated on a regular basis to prevent access to sites with questionable/malicious content.

Antivirus clients must be updated/scanned from a server console/pushed-out automatically with no intervention required/allowed by the end-user.  You cannot rely on the end-users to run these on their own.

Approved Software patches should be pushed-out and the very least the client systems must be required to check for and install updates as often as necessary.

Having a user as a member of the users or power users group will prevent a significant amount of issues regarding malware and viruses, not to mention intentionally installed software like IM clients, P2P applications, etc.

After all this, the end-user must be continually educated to reinforce policies and that adherence is required, not optional and disciplinary action will be taken, if violated.

Implementing the above policies will alleviate some of the end-user's responsibility and will make for a more secure and productive environment.