Let's start with some definitions:
Paradigm: An example serving as a model or pattern (from a Greek word I can't even hope to pronounce, meaning to show side-by-side)
Shift: To put something aside and replace it with another
Paradigm Shift: A change from one model or pattern of thought (or action) to another.
We all live in many different paradigms, and we switch between them all the time. For example:
- In my home paradigm, I dispense fatherly advice and bad jokes, to my kids. I (usually) help around the house. I fix (and sometimes break) things.
- In my work paradigm, I call and/or take calls from customers, and help them with their computer problems. I deal with the finances. I work on Sales and Marketing.
- In my religious paradigm, I go to synagogue, pray and generally do my best to keep the laws and traditions of my belief-system.
But it's not always so easy to determine which paradigm you should be in. Sometimes, we can make mistakes. Consider this scenario:
You're walking to the door of your office building. It's a secure key-card access door. Someone else is walking up behind you. Do you hold the door for him? On the one hand, there is clearly concern about security here. On the other hand, closing the door in the guy's face might be rude.
The problem here is that no one's clarified the appropriate paradigm. If Security was an underlying rule of thumb, it would be obvious, and closing the door in his face wouldn't be considered rude at all - in fact it would be expected. If you don't believe it, ask anyone who's ever worked on a military base, or in a secure government facility. (I've worked in both.)
Every business owner I've spoken to, says that they want their business to be "secure". Then, many of them insist that everyone in the office use the same user name and password, or no password at all, for network access. In fact, according to a recent InfoWorld article, a similarly recent Symantec survey says that small businesses tend to "shun" basic security measures. Once again, the problem is usually an unclear paradigm.
This is where a Security Policy can be really useful, even for a small business. It communicates the organization's security foundations; what's important to the company, from a security perspective. Basically, it's the documented security paradigm for the company. And it doesn't need to be really complicated either. In fact, simpler is better. Should you enforce stronger password policies? Well, if the policy says, "Everyone should be able to get to anything they want, without restriction," then the answer is immediately clear. It's also clear if the policy says, "Users should be able to reach only the information required for them to do their job." These statements also answer questions, like, "Should everyone have Administrative privileges?" and "Should we lock the doors at night?" and "Should the janitor be able to get into QuickBooks?" - Alright, so they probably need a little work... but perhaps not too much. Remember, the intent here is to have a guide, not a detailed manual covering every possible situation.
Why not be more detailed? Because that's often why businesses don't write policies. It's why we never even get started: The task becomes too huge to contemplate. So don't let it. Just try covering some topics like:
- Access privileges
- Internet access
- File-sharing networks (i.e. BitTorrent and Gnutella)
- Software piracy
There's more to be said, and I may even say some more of it in another letter, or on our blog. In the meantime, think about your company's security position, and whether it fits your vision for the company.