One important tool in security is without a doubt an effective security policy. A security policy helps to ensure that common procedures across the organization are followed thus facilitating the identification of risks and mitigation of said risks as well as advising users as to what is allowed and what procedures they need to follow.
I recently came across a story by the BBC where sometimes setting up an effective policy is not enough! In the year 2000 an aid for the President of the United States of America was entrusted with keeping the nuclear arsenal launch codes safe and available to the President should the need arise. The aid lost the codes. However, there was a back-up plan in place in the eventuality of something like this happening – an official was to check the codes once a month and to replace them once every four months. When the first official came to verify the codes the aid simply said the President had the codes and he couldn’t be disturbed at the moment – a really simple excuse that was enough to buy the aid a month’s worth of time. This excuse worked twice in a row and the loss was only discovered when the time came to change the codes.
The security policy itself was sound. It correctly didn’t rely on people to just come forward when there was an issue with the codes, such as losing them; instead it proactively ensured that the worst case scenario was that they cannot be lost for more than one month. Yet it still failed.
I obviously do not have access to the details of this case, but since the policy was executed I can only suspect that the policy itself did not have contingencies for simple situations such as, what happens if the codes cannot be verified on the day? If the policy did indeed contain that clause it certainly did not have a mechanism to ensure the code verification had in fact been carried out.
This incident teaches us a very important lesson. It is without doubt very important to have a security policy in place; however, it is just as important to have a mechanism in place which ensures that policies are adhered too. It is also imperative to have controls in place that can monitor and assess how successful a policy is.
A policy should not be something you design once and leave be. It should be reviewed and, if needed, improved. If someone in the situation mentioned above was monitoring that the policy was executed successfully, not only would it have been possible to upgrade the policy to support such eventualities as the inability to verify the codes on a specific day, but a security issue of immense proportions such as misplaced nuclear launch codes would have been detected and addressed in a third of the time that it actually took to address it.