Because information can be a company’s largest and most important asset,
managers and employees need to dedicate time, effort and money to ensure
such assets are properly protected. With
the increased complexity and interconnectivity of networks, corporate infrastructure
boundaries have virtually disappeared. As
a result, information security requirements
have grown almost exponentially.
With a wide variety of — and constantly
changing — threats, a comprehensive, layered security approach is needed. A solution based solely on technology is not
enough. An overall strategy for enterprise
security needs to include not only hardware and software but appropriate policies, procedures and organizational structure to provide a sufficient level of security.
The requirements are identified by a thorough assessment of security risks, says
Steve Korb, senior security systems engineer with Premier Technologies.
Maintaining a security infrastructure is a
continuous process. Regular assessments
are useful to understand progress that has
been made and to help prioritize what
steps are needed to further mitigate potential threats to your business, says Korb.
Smart Business spoke with Korb about
how security measures should be placed
and implemented.
What are the elements of an effective security assessment?
Assessments need to be done in a
methodical manner in order to produce
results that are repeatable and easily compared against prior assessments. The goal
of an assessment is to identify and understand corporate risks and what steps can be
taken to eliminate or reduce the risks. Their
impact on the organization should also be
quantified. The final part of the assessment
should provide potential remediation steps.
Companies should utilize such assessments to protect services, hardware and
revenue. An assessment of a company’s
Internet-accessible devices may reveal that
a particular host is vulnerable due to a
missing patch on the server. The impact
depends on the services being provided by
the application on the host, but problems could result in loss of revenue. In this case,
the immediate remediation would be to
patch the server. Long-term remediation
also should be evaluated. Depending on
the potential lost revenue, this could indicate the need for providing a more resilient
environment with built-in redundancy and
disaster-recovery plans.
What standards exist for doing security
assessments?
A standard-based approach like the ISO
17799 should be utilized. ISO is the
International Organization for Standardization and the 17799 standard is a comprehensive set of controls for information
security. The standard contains a set of 39
key control objectives.
ISO 27001 is a closely related standard
that provides specifications for the requirements of an information security management system (ISMS). A standard approach
to assessing security provides a consistent
method to understand the security posture
of an organization.
With a full understanding of the risks and
exposures an organization faces, a comprehensive security plan can be developed.
The plan should include technical solutions as well as aspects such as a disaster-recovery plan and business continuity planning. A standard assessment approach
can also help to stay in compliance with
government regulations like Sarbanes-Oxley, HIPAA, GLBA and others.
How often should an assessment be done?
Once a strategy for corporate security is
implemented, you cannot forget about it
and assume assets will continue to be
secure. An initial assessment will help prioritize and balance the plan against potential risks and expenditures, but the landscape is constantly changing so a security
plan needs to be adaptable to evolve with
those changes. Periodic assessments
should address changes that might affect
the company’s overall security posture.
The best practice is to assess on an annual basis. In some cases, regulatory requirements may mandate annual assessments.
In addition to a regular schedule of assessments, significant changes to the environment require assessments to be done.
Security such as disaster recovery and
business continuity plans should also be
tested on a regular basis. Finding out that a
redundant firewall is not working when the
primary goes down is not an ideal situation. Procedures need to be tested so in the
event of a real emergency, business can be
back to normal as quickly as possible.
Change is inevitable with technology, and
new vulnerabilities are discovered every
day. The goal is to be vigilant about understanding the potential threats, understanding the impact they will have on business
and minimizing the effect of these risks.
Should all identified risks be fully mitigated?
They need to be weighed against the
potential impact to the business. Before a
solution is implemented to mitigate any
risk, there needs to be an analysis of the
impact. There are acceptable risks. The
potential impact of the vulnerability may
be outweighed by the gain associated with
providing a particular service to clients or
end-users. You don’t want to implement a
$50,000 solution for a $5,000 problem.
STEVE KORB is the senior security systems engineer with
Premier Technologies. Reach him at [email protected].