Why Security Policies Cannot Stand Alone
One important tool in security is without a doubt an effective security policy. A security policy helps to ensure that common procedures across the organization are followed thus facilitating the identification of risks and mitigation of said risks as well as advising users as to what is allowed and what procedures they need to follow.
I recently came across a story by the BBC where sometimes setting up an effective policy is not enough! In the year 2000 an aid for the President of the United States of America was entrusted with keeping the nuclear arsenal launch codes safe and available to the President should the need arise. The aid lost the codes. However, there was a back-up plan in place in the eventuality of something like this happening – an official was to check the codes once a month and to replace them once every four months. When the first official came to verify the codes the aid simply said the President had the codes and he couldn’t be disturbed at the moment – a really simple excuse that was enough to buy the aid a month’s worth of time. This excuse worked twice in a row and the loss was only discovered when the time came to change the codes.
The security policy itself was sound. It correctly didn’t rely on people to just come forward when there was an issue with the codes, such as losing them; instead it proactively ensured that the worst case scenario was that they cannot be lost for more than one month. Yet it still failed.
I obviously do not have access to the details of this case, but since the policy was executed I can only suspect that the policy itself did not have contingencies for simple situations such as, what happens if the codes cannot be verified on the day? If the policy did indeed contain that clause it certainly did not have a mechanism to ensure the code verification had in fact been carried out.
This incident teaches us a very important lesson. It is without doubt very important to have a security policy in place; however, it is just as important to have a mechanism in place which ensures that policies are adhered too. It is also imperative to have controls in place that can monitor and assess how successful a policy is.
A policy should not be something you design once and leave be. It should be reviewed and, if needed, improved. If someone in the situation mentioned above was monitoring that the policy was executed successfully, not only would it have been possible to upgrade the policy to support such eventualities as the inability to verify the codes on a specific day, but a security issue of immense proportions such as misplaced nuclear launch codes would have been detected and addressed in a third of the time that it actually took to address it.
In the case of the Presidential aid, I’d attribute the failed security policy to human error. If it were up to me, the aid would’ve been shot, hanged and burned in that order. Alot of it grief would’ve been averted if he simply fessed up to having lost the launch codes in the first place. I don’t think the security policy was sound at all, having to rely on incompetence like that.
@Phil
I don’t think the article is outright dismissing the negligence of the presidential aide. What the article is addressing however, is the fact that security specialists didn’t recognize the aide as a possible security problem. Although it’s great to point fingers and hold people accountable for their actions, security is a preventive measure not a reactive one. It’s always recommended to fix your company’s security system first, before implementing it.
Thanks Jay, that was indeed my point.
You’re right obviously Phil, in that the Aide is by far the most at fault and should get more then a slap on the wrist but as Jay perfectly puts it, the Aide could manipulate the verification process (the policy that the codes need to be checked monthly) that it was the result of a lack of oversight to ensure policies are actually implemented. Putting policies is place is never enough and we all know that. You need to ensure policies are implemented and followed.
This is definitely an interesting anecdote. You would think that such high level personalities such as the President himself would have a security detail and system that would rely on far more fail safes than a personal aide.
There are definitely some interesting points brought up here in the comments section as well. I guess somebody should e-mail this to the Presidential Chief of Staff in case he’d be willing to take a couple of notes.