Active vs Passive Policing
You may have all the boxes checked on your balance score card. Bought the latest and greatest security software, firewalls, Intrusion Prevention Systems
and finally have your security staff complement that you have been fighting for. The problem you have had all along should be gone now… But is it really?
I have recently travelled to Portugal and have seen active policing in all the main cities I have travelled to. In Lisbon you have police walking around 24-hours a day. At night the patrol the streets alone. Not two or more, one at a time with a radio and visible arms. In the capital city of Madeira, Funchal, the same type of behaviour. The end result is a much safer environment for all. One special note is the manner in which they interact with the public. No eye contact unless you speak to them. Scanning the environment constantly. Make you feel safer and you do respect them.
Without policing it becomes a total different story. The criminals run the show, joe public fears for his life and corruption becomes part of the daily lives of those who should uphold the law. In both scenarios, the law exists but the ‘executioners’ act differently.
This is exactly what happens in your Enterprise. You may have all the policies, procedures and guidelines in place. You have an Information Security department which is populated with staff. When I worked at a Bank, the Information Security Department was seen to be filled with people who seems to have messed up somewhere. A sort of punishment? You may have all the boxes checked but your approach may result in failures. How can I make a statement like that?
Lets look at a sample organisation and the parallels we can draw from scenarios where you active vs passive policing.
|You know, monitor and control all devices on your network||Users can add any device as required which may result in high risk devices|
|Your HR payroll is integrated into your user authentication system||Reviews for redundant are done only when you know the auditors are coming|
|You monitor productivity vampires such as non-business related internet surfing and report it directly to the user.||Users have freedom to surf web without recourse. Action is only taken on a formal complaint|
|Physical security of laptops are enforced using awareness and policy statements. For example encrypt where classification is secret||Due to the lack of physical control, laptops are going missing and you have no idea what data is on these devices|
To be able to ensure active policing you need to develop a proper measuring system whereby incidents and the status of the environment is monitored, managed and any deviation action taken to ensure that the risk is mitigated. Before spending any money on a solution… Make sure you are using all the inherent controls of your hardware, software and staff skillset.