I had an experience this weekend that made me think about policy and how it can be something to ruin your business very quickly. Interesting enough this was not an information security policy related event but the process of what I went through made me think about how a company can really screw up by not being aware of the global environment they operate in.
The incident ..... being a security guy I do take advantage of security aspects that are provided by others. My credit card company has a system whereby I can generate single use credit card numbers for online purchases. I can even use reward points for these purchases. With this in mind I was looking for an inexpensive monitor for my home office so I went online to BestBuy so I could see what they had and since there are two locations near me I could go and quickly pick it up. I found one that was suitable, quickly generated a credit card number and placed the order. Within half an hour I had the "come get it" email from BestBuy. It did mention for me to bring the email, my ID and the credit card. Well the card is virtual, generates and disappears, but I had the source card. Off to Best buy where they promptly refuse to allow me to pick it up. The associate claims they do not allow virtual credit cards for in store pickup. I ask why and the response "It is policy." Well it seems to be a silly policy since you can easily do a trace back to me with my ID and the email and the fact that it all matches the data I provided for the online purchase, which cleared the credit card check. "It is policy". Then he stepped in it deep - "But ... if you have someone else pick it up and you say who it is at check out then it is ok since they do not have to show the card."
WHAT!!!!!!!
Someone who skims my card and gets the number, CIV and expiry can go online, buy something with my card and put their own name as the guy picking it up - BUT - I cannot?
"It is policy"
It dawned on me - BestBuy created a policy many years ago when virtual credit cards did not exist and they had not updated that policy with this new paradigm in place. Sure a few years back it was good practice to want to see the card but to update the policy to let someone else pick up and not update it to handle virtual cards or currency?
Imagine now that this is a IT security policy. With the recent BASH vulnerability announced, would a company now start to look at where they are using CGI and Linux systems to see what they need to do from a policy perspective for future protection? A good company may even do an evaluation of other aspects of operations to see if there was any open-source code that maybe was also created before certain vulnerabilities were leveraged.
The lesson for me, outside of don't shop at BestBuy, is that security implementation and policy is not about a document or a configuration. Security is about taking what is happening today and ensuring that you understand how that impacts your business and mitigate any risks - look to the future but ensure you understand what you are doing today and what others are doing that may potentially put you at risk.
BTW - used the exact same method for a purchase at Apple - using that keyboard to type this post .... no card needed.
