The Six-Figure Software Licensing Mistake

Even the best security staff is not above making costly mistakes

Have an acceptable use guideline defined in your policy and require your staff to sign on to it. Make sure it specifically calls out the IT and security team members so that no employee feels above the rules. You should also have a change control policy. Good change control processes ensure your staff understands how and when it is acceptable to introduce new software and changes into your computing environment. A change control policy should require that, among other things:

Any system changes, including new software installations, are documented and approved

Configuration management documentation is updated to reflect the new state

Changes are applied only by authorized personnel

Changes made by one person to security appliances and devices must be reviewed by another qualified staff member.

This separation of duties keeps a potential bad apple from having both keys to the nuclear missile. The military calls it Two-Person Integrity, and the purpose is to keep people honest. I’m not equating an illegal software incident with something as critical as nuclear weapons, but we all take a hit in credibility when people start wondering who’s watching the watchers.

Finally, make sure you have a policy to conduct background checks on all your new hires and annual checks for your existing staff. If you don’t, you are asking for trouble. You’d think that in a large government organization this would be standard policy, right? Wrong! One of the first questions I was asked about this employee was if he’d had a background check.

Run Good Auditing Tools

You need to run security tools that audit and identify when unauthorized software is installed. Symantec Altiris, LANDesk, Microsoft Systems Management Server and Novell ZENworks are some of the representative tools that establish the heart of software asset management in a Windows environment. In addition to tracking what software is installed and uninstalled, these tools track licensing and report on inventory management and usage. Need metrics? These tools give you all you need.

Establish a Training Program

Make sure that your folks get regular refreshers on what it means to be a security professional. As most of us have heard, “The only difference between a security professional and a bad guy is permission.” Even good people need to hear this every now and then. It reminds them not to cut corners. I’ve seen people get so caught up in resolving a problem or putting something new together that they forget their overall responsibilities and jeopardize their careers by circumventing policy. When people get caught driving drunk, their insurance rates go up and they have a police record. It doesn’t matter if they are solid citizens with no prior records. The same goes for information security professionals. It’s awfully hard to get a job with the black mark of unprofessional conduct on your résumé.