By now, most organizations are striving for self-improvement in the area of information security. However, many have programs that are far from complete and will sooner or later fall victim to an external or internal breach of security. Reasons for this are not necessarily a lack of knowledge or technical savvy, but rather the inability to "sell up the chain" and a lack of understanding that protecting data assets, intellectual property and maintaining privacy requires a "multi-dimensional" approach. These constraints prevent talented IT and management staff members from executing plans to better secure data assets that include the inability to gain support for the cause and to see beyond technology as a sole solution.
Most IT professionals focus their discussions with CEOs on the topic of "security;" however, almost always, the executive staff will not respond. Yet, the same topic discussed within the context of "risk management" and "due diligence" (particularly for publicly traded firms with share-price-sensitive shareholders) place the right people on notice. These individuals know very well that in current market conditions and within the lawsuit-happy marketplace, losses due to lack of due diligence on the part of executives are not taken lightly.
Furthermore, what makes matters worse for most organizations is regulatory compliance. Regulations include a critical list of directives specific to a given industry, i.e. HIPAA for the healthcare marketplace, Gramm-Leach-Bliley/Sarbanes-Oxley for the financial industry, and 21 CFR Part 11 for pharmaceutical firms. These regulations can help elicit the right response from those wielding the "power of the pen," only if the IT or security staff take an active role in defining the regulatory obligations and their relationship to the business.
This is a challenge for most businesses, particularly those that elect to make security "everyone's" responsibility without focused leadership, or a selected internal candidate from within the IT staff with limited understanding of business and organizational structure. The level of knowledge associated with all aspects of the business, not just technology, is what enables an organization to address its security concerns on a far more comprehensive basis, which translates into a more robust multi-dimensional "risk management" strategy.
Development of such a strategy begins with a three-dimensional philosophy. This philosophy differs from a fragmented protection model in that it focuses on three major target areas of risk management: people, process and technology. Each target area must dovetail with the other, providing for a thorough, trusted framework for achieving acceptable levels of risk.
Three-dimensional risk management programs vary depending on a given industry; with most having common major components that reflect accepted best practices and robust information security infrastructures. Top-down, these components include the following:
InsuranceJust as any organization maintains a liability policy to address a variety of misfortunes, protection against computer-related losses should also be part of the risk management strategy. This coverage also plays into the security program development initiative; in order for an organization to obtain necessary "hacker" coverage, it must first demonstrate that an appropriate technology risk management model is in place.
Policies and Procedures
The place that most organizations should, but sometimes do not start, is with the development of corporate information security policies and procedures (process and technical). Policies and procedures are key foundational documents, since they define data classification, requirements, procedure and direction related to all activities when dealing with information and data regardless of its state. One byproduct of a well-developed and implemented policy and procedure document is maximization of the return on security investment (ROSI).
Granted, the development of policies does not constitute elevated levels of protection for the organization and its data assets. In fact, in some cases the organization can devalue technology risk management efforts by introducing policies without appropriate training. This type of training falls within the confines of a security awareness program. A security awareness program must channel information to and from the end-user community, technical staff as well as the executives or event clients and partners. A robust program consisting of on-going training will instill understanding within the organization's population and ensure that each employee/individual will become a full participant in the information security effort.
Most organizations employ outside vendors to conduct periodic vulnerability assessments; however, in many cases such activities yield less than appropriate results. This phenomenon is quite simple to explain in that most organizations tend to look at the vulnerability assessment strictly from the IT perspective and ask for not much more than a port scan. The assessment process must cover all critical security infrastructure components from the ISO17799 or BS7799 standards, i.e. people, process and technology. These would include not only access control, war-dialing/driving, internal and external penetration testing, wireless network assessment, software development/management and exploitation of discovered vulnerabilities, but also policy completeness, physical protections, software QA, security awareness, intrusion prevention, technology procurement, partner management and liability coverage among others. As noted earlier, risk management is much more than hardening systems.
A list of commonly accepted and market-available technologies make the process of managing risk either easier or harder depending on the skill levels of the staff supporting such devices. No system is valuable to an organization if the analyst is not fully aware of data generated by such systems. For example intrusion detection systems (IDS) present a specific problem in that it is rare to see these systems installed, configured and supported by staff that truly understand these technologies, much less the alarms. These systems are also commonly incomplete. For example, the network sensors may be placed in areas where too much irrelevant traffic is monitored, resulting in unmanageable levels of "false positive/false negative" alarms. Or, sensors may be running in passive mode and do not utilize some of their device management features, or simply, do not include related "prevention" technology solutions. Either way, intrusion monitoring should include the network, system and application levels for effective data correlation and decision-making.
Furthermore, other technologies must include centrally managed enterprise virus control that cover all servers, client devices and e-mail gateways at a minimum, to ensure localization and inoculation of all hostile code. Also appropriate are local and remote access control mechanisms where the credentials, authentication/authorization and perhaps VPN (virtual private network) technologies work in concert to reflect overall enterprise policies and protect critical data assets. And let's not forget firewall, router and switch configurations where applying these policies simply makes sense. A focused and policy-based security technology infrastructure environments coupled with monitoring capabilities can heavily affect an organization's ability to manage risk.
Mark Nagiel is Manager, Information Security Consulting, NEC Business Network Solutions, Inc., Irving, Texas