Application security policies have been receiving a lot of attention recently as part of an overall corporate security environment. They are required to cover both the applications development process to ensure that security aspects are properly considered in the design and development phases and that the operational environment is also secure.
As you can see, applications security policies need to be first developed and thereafter monitored and if required troubleshot to make sure they are being properly implemented and used.
There are several applications packages to assist with this, SCOM and Applocker for example, and many codes of practice both national and genre-specific, like the HIPAA in the Health Sector. Some applications packages, for example, JD Edwards, have built-in application security and provide detailed instructions as to how best to implement it.
Some commentators consider that the issue has escalated with the advent of cloud computing.
Faced with this large amount of information and advice, how should you proceed?
Here are three potential strategies that might assist.
Define and Implement What you Want
The types and extent of the applications security policies you introduce will depend to a great extent on the operating environment. Policies tailored for a small business will differ from those of a large company.
The first step is, therefore, to define what you expect of applications security. Thereafter develop policies that meet those objectives, tailored to the environment in which they will operate. If you already have them, review them against your objectives.
Then, define how adherence to the policies will be checked, and the remedial actions need to be taken if policy is breached.
This is not a one-off process. Policies may need to be altered to meet changing circumstances.
The first strategy is, therefore, one of continual monitoring and enhancement.
Choose a Monitoring Strategy
It’s easy to say, monitor policy, but not so easy to do in practice. It has been suggested that best way is to have a triage principle.
Define three levels of policy breach, let’s say critical, medium and low. Deal immediately with critical breaches, medium when you have no critical, and low whenever you have nothing of a higher category.
You must understand that doing nothing is not an option. The business could be at risk through unauthorised access to systems and data, particularly in a controlled environment where there are mandatory policies and procedures, for example in the Health Sector.
You can reduce the resources needed to investigate what are ultimately non-issues by using triage or the 80/20 rule to reduce the number of false positives. This must be done in the light of knowledge and understanding of the breaches that are occurring and their objectives. What at first glance is a false positive could be a serious breach if indicative of a larger trend or pattern.
The best approach is to have a proactive approach to monitoring and troubleshooting. There is a tendency for complacency to set in in both the users and the regulators and this must be resisted.
Education is a priority:
- Policies and in particular sanctions must be known and understood by all. An education programme, starting at onboarding is required. This must be supplemented by regular updates and reinforcement.
- There will be an increase in the number of investigations and possible sanctions at least initially when new policies are implemented and breaches are suspected. This must be communicated to all relevant parties.
- Users must be aware of this and the potential effect on their access to applications systems.
Define what you will do
Having policies and monitoring procedures is of little value if their sanctions are not defined and applied when breaches occur. The type of breach, it’s severity and the type of sanction expected to follow must be clearly set out in the employee handbook.
The sanctions could include immediate sanctions such as a denial of access perhaps with an immediate follow-up.
Formal procedures for action following a serious breach will be required ranging from internal disciplinary action, as defined in the policy manual to dismissal.
Applications security policies are needed to manage a changing and complex environment. A corporate strategy is needed to make sure they are enforced in a sustainable and supportable manner.