Security on a Shoestring: Creating Internet policies on the cheap writes When did the SANS Institute write its first in-house security policies? Like many organizations, the Bethesda, Md.-based small business only did it after there was a problem.
A former consultant with the organization used his existing SANS e-mail address to send spam. Technically speaking, the former consultant hadn’t done anything wrong, as the SANS Institute, best known for its computer security training and research, didn’t have policies for acceptable e-mail use. Nor did it monitor or retain e-mail as a business record.
The first thing the SANS Institute did was write for acceptable use, covering such things as Internet access, e-mail, and passwords, said Stephen Northcutt, the director of training and certification at the SANS Institute. “We went from ad hoc to organized in 24 hours.”
Getting burned often drives organizations to action. Yet while the heat of the moment distills thinking, planning ahead never hurts, and company size or expense is no excuse. Small and medium-size businesses (SMBs) can create Internet-security policies on the cheap if necessary. In fact, because SMBs are “more intimate by nature,” enforcing acceptable use of Internet resources is “easier and much simpler,” said Randall Palm, the chief technical and information security director at the Computing Technology Industry Association (CompTIA) in Oakbrook Terrace, Ill.