In my last post, we talked about the Business going outside of your I.T. controls and self-provisioning Software as a Service solutions. Most of you were horrified and could identify a number of internal policies that a SaaS solution wouldn’t comply with. You understood that these policies are there to protect the organization’s confidential information or intellectual property, so why is it so hard for the Business to grasp those implications?
I’ve recently just finished reading “The Phoenix Project” by Gene Kim, Kevin Behr and George Spafford. Actually, I couldn’t put it down.
One of the characters is an over-zealous Chief Security Officer who wants to tie I.T. down so tightly, to meet every point in a third-party security audit. In reality, the business actually has processes and procedures in place in the finance department that mean that these controls in the I.T. system are actually unnecessary.
In fact, it made better business sense for a human responsible for the money in the organization to watch out for these red flags instead of coding the computer systems to do it. I’m not saying that’s going to be the case in every situation, and I.T. controls certainly have their place in mitigating organizational risk, but do they have to prevent every possible risk?
The UK government’s Centre for Protection of National Infrastructure (CESG) is now advising that passwords should only be changed ‘on indication or suspicion of compromise’, throwing the old 30 day or 90 day expiry out of the window. While that seems insane, they say regular password changes force people to store them somewhere to remember them or re-use the same base with a minor variation.
Tough I.T. controls or policies can often lead to people inventing workarounds. I can bet you that someone in the organization has given their password out to a co-worker because they were away sick, and it was quicker than asking I.T. to sort out delegated access to their mailbox. Or perhaps they ran late at a meeting and someone needed to unlock their computer.
If you could wave a magic wand, what I.T. policies or controls would you relax to make life easier for you and the end users? Could you do this and retain (or even improve) the security and stability of your systems? Or is this all just crazy talk and you should be locking down your systems even more?
Let me know your thoughts!