A few weeks ago The Age ran a story Defence secrets stolen at airport. An Australian Major General’s aid had some copies of “Australian Eyes Only”documents on a thumb drive he put in a back back which went as checked in luggage on a commercial flight. Apparently the thumb drive was stolen out of the back pack some where between Dubai and Islamabad. Apart from anything else the world didn’t end and both the Major General and the aid kept their jobs.
Nowadays it has become very fashionable for complex “IT”security policies to be invented and deployed through public and private organisations. Very often these policies start from a position of “we want a security policy, so we will have one”. To my mind this is somewhat back to front, as the IT component of an organisation’s overall security is only a part and to be of any use must be in balance with other aspects of the organisations risk and security policies.
Identifying what is the wrong thing and then making the right thing the easy thing is the key here. Most agree that in the perfect world there is perfect openness and transparency, however in the real world we need to secure organisation secrets and reduce crime and fraud, but a sense of proportion is needed. Quite often there is a lack of balance.
One of my favourites is from a large, well known, software supplier which for partners offers on line access to its logo. The web site requires a password which conform to strong(ish) password rules – at least 10 characters, mixture upper and lower case, some numerics but not too many, special characters but not at the beginning. As this combination is impossible to remember the supplier suggests that users write down their passwords – just don’t make it obvious what it is!