A well-designed desktop security policy should provide bulletproof security without unnecessarily impeding the users’ ability to perform their job. But all security policies are a compromise between the strength of security provided and extent of the end-user inconvenience. Where exactly this balance lies depends on the degree of sensitivity of the data being protected and the perceived vulnerability of that data to unauthorized access. I've identified the five steps you should take when developing your desktop security policy to help you find the correct balance for your organization.
Step one: Obtain buy-in from management
The management buy-in step occurs twice in the development process: at the beginning before any detailed work commences and again when the design is complete. At the beginning of the development process, management should be asked to approve of the concept of desktop security. If management won't enforce and support the policy, don't waste resources on development. If they agree to support the concept, once the design is complete, present them with a report to approve detailing each aspect of the policy, what it offers in terms of added security, and the effects it will have on normal operations.
Step two: Evaluate the risk of an unauthorized access attempt
You can make a reasonable estimation of the likelihood of an unauthorized access attempt by considering both the desirability and vulnerability of your organization’s data. In making such an evaluation, your IT department should seek input from the employees in the company who have the clearest understanding how much someone outside of the organization might want to get that data. This is a crucial step because it will determine the required strength, the cost, and the inconvenience of the security policy to be implemented.
Step three: Assess current physical security
A thorough understanding of the degree of security provided by the physical environment in which the computers reside is important for fine-tuning your security policy. The more vulnerable your environment is to external intrusion, the more restrictions need to be implemented in the policy. When making this evaluation, consider the following:
- Are your organization's PCs located in offices that are locked when not occupied?
- Are your organization's PCs located in an open, shared workspace?
- Are your organization's PCs easily accessible to the general public?
- Are your organization's PCs locked to the desks?
- Do visitors/employees to your company wear ID badges?
- Are visitors accompanied by employees at all times?
- Are burglar alarms used on the windows and doors outside of regular business hours?
The results of this evaluation should be discussed with your organization's safety department or building management. Instead of attempting to compensate for inadequate physical security with a desktop security policy, it might be more appropriate and cost-effective to improve the physical security of your environment.
Step four: Design desktop security
Assuming an unauthorized person is able to physically access a PC, how can you prevent him or her from also gaining access to the data located on or through that PC? This is the primary role of authentication security, the methods by which we validate that the person at the keyboard has permission to use that computer. Exactly how this is achieved depends on the desktop and network operating system, but certain security measures can be implemented in most environments, such as:
- Boot/power on passwords set in the BIOS.
- Network/Desktop logon name/password.
- Biometric devices for logon, such as thumb print or retinal scanners.
- Access tokens.
- Screen saver passwords.
In addition to different methods of authentication security, in most environments, it is also possible to implement the following:
- Setting passwords on individual files/folders/applications
- Restricting access times/days on the computer
- Forcing logout after X minutes of idle time
- Locating all data on network drives to prevent data being stolen if the PC is stolen
- Restricting access to removable media to prevent data theft
- Clearing page table on shutdown/reboot
In the process of deciding whether to implement each of the above, the degree of security offered needs to be weighed against the extent of the inconvenience caused to the user. Policies for how each item is to be instantiated must also be established based on the same considerations. For example, consider how frequently passwords should be changed, after what length of idle time should the screen saver activate, what restrictions should be placed on how passwords are constructed, and so on.
Step five: Implementation and deployment
This final action can be conveniently broken down into the following tasks:
- Decide how to implement the policy (i.e., can it be implemented with your organization's current desktop and server OS? If not, should one or both of the operating systems be changed or should third-party software be purchased?).
- Assign responsibility. Who in the company is responsible for enforcement of what parts of the policy (i.e., who is responsible for initiating action if a user shares his or her password?)?
- Clearly define penalties for violation of the policy (i.e., what are the consequences of letting your mother-in-law borrow your notebook for the weekend?).
- Educate the users (i.e., what changes should they expect, what are their responsibilities, what are the consequences for violations?).
- Establish a procedure/schedule for reviewing the policy.
Although no single design formula can produce a foolproof desktop security policy that will work for all organizations, following the steps outlined above will help you to design a policy that provides an appropriate degree of security without causing unnecessary inconvenience to the users—along with the all-important support from management.