Paul Robertson, director of risk assessment at TruSecure, a provider of intelligent risk-management products and services, says companies that come to him for advice on security policies are either "those that don't have anything at all, or just the basics," or "those that have a lot of policies, but no tidy implementation."
A common weak area today, he says, is company usage policies. Having strong privacy and usage policies can go a long way to protect a company if someone does something wrong. "Policies need to be up-to-date and reflect the situation and culture of the company," says Robertson. "It should be understandable by the end-user, and have the buy-in of human resources."
The biggest concern Roberts has is that there is no easy way to enforce policies regarding passwords and ID sharing and, as an IT expert, he knows how easy it can be to get a user's ID over the phone. "Even good intentions can threaten security. You have to do some reverse social engineering, because it's hard to get people not to be courteous and helpful," he points out.
The link for this article located at SCMagazine is no longer available.
