Indian government issues confidential infosec guidance to staff – who leak it India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website. The document, and the measures it contains, suggest infosec could be somewhat …
not to mention DNS servers... not even root-servers.org /.net are allowed to be used as the root servers are considered a "3-rd party"... and also that national DNS server is mandatory because it allows easier man-in-the-middle redirection and/or interception.
This, in common with many of the other listed requirements, is a mere exhortation that ignores whether it's likely to be effective (and it probably isn't, as 'popularity' is no warranty of safety and user reviews come from unverifiable sources). Unless they're backed by technical measures and informative training, exhortatory 'policy statements' of this kind are incapable of protecting the enterprise. But India is far from alone. In over two decades of consulting I've never seen a corporate 'user policy' that could actually contribute to security. The common failings are:
[1] vagueness of objectives
[2] lack of explanation
[3] negligible provision for and verification of training
[4] fundamental resort to penalties as opposed to effective enforcement
If policy is going to actually work, there's at least as much need to address the human angle as to deal with the technical. In his classic "Industrial Relations" (1987) Michael Salamon points out what almost every organisation seems to have missed (although it's objectively rather obvious), that policies are only effective if they are arrived at by negotiation and supported by training so that people actually understand both the policies and the need for them. They're also ineffective if their sole (or even primary) objective is punishment of 'offenders' rather than resolution of problems and prevention of their recurrence. The almost universal 'enforcement' clause along the lines of "breaching this policy can lead to dismissal" is actually worse than useless, as it:
[a] causes people aware of it to conceal their mistakes
[b] introduces an adversarial relationship between management and those managed when an incident is investigated, preventing objective investigation
[c] does nothing to prevent recurrence of an event as it gets primarily ascribed to 'stupidity'
[d] absolves management in their own mind from taking precautions that could minimise opportunities for incidents to happen (e.g. better technical provisioning)
As a result almost all corporate security policy is pure shelfware. To operate securely, you need to be working within a culture of secure practice - not just attempt to follow a list of externally imposed apparently arbitrary obligations that haven't been put into proper context in your own terms.
A better approach might be to set up a repository of open source apps for their employees to use, and disable the Google/Apple app stores.
Unfortunately this approach is not very feasible because Google and Apple have done their very best to kill off any open source development on their platforms, and they have largely succeeded.
There are some holding out against this tyranny though, such as /e/os, but thanks to Android's horrendously complicated SDK, it is almost impossible for an end-user to build even /e/os from source.
"patch promptly, run anti-virus software, log off when away from one's desk, and encrypt data before transmission"
We're talking about government. That means that there's an IT department that calls the shots on patching.
As for encrypting, that would be difficult if IT has not installed and configured the tools to do so. The user is not supposed to be able to do that on his own, now is he ?
And if you think I'm logging off to go take a piss, I have news for you : I'm pressing Windows-L to lock my session and not lose my work.
I appreciate the intent, but there's a lot here that doesn't really depend on just the user.
Its probably intended for IT departments too.
Its a set of national government guidelines, so probably applies to departments that run their own IT.
Its an improvement on our own government in the UK which used Zoom for meetings that must have included discussions of at least some top secret information.
Also, best not to assume different govt agencies have the same levels of IT support - in my experience (16 years so far) the larger Ministries or Departments have the largest budgets, and the biggest (though not necessarily best) IT teams, while smaller agencies may have very little support internally, instead out-sourcing IT to commercial providers.
...confidential information security guidelines...
How on earth is any of the advice in this dcoucument confidential? It seems to be mostly well-known and widely-used good practice.
OTOH, mustn't give the proles advice about security, they might use it to secure themselves against the govt., I suppose.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
