|
Information Security Management should achieve
three clear, strategic business goals:
- Protecting valuable information assets,
- Preserving the privacy of employees, customers, clients, and
suppliers, and
- Providing information availability
 The
process to achieve these goals requires on an on-going cycle of
activities. The key stages in this cycle
include:
Defining Environment
& Assets: The scope of the Information Security Program
must be clearly defined. It must include not only the organization
itself, but also its interactions with others, such as suppliers,
partners, and customers. Each significant change in the organization
(e.g., mergers and acquisitions, new products and services, new
or remodeled offices, staff reductions, significantly modified information
technology, new network connections, new laws, etc. ), usually results
in a change in the information security asset “base”
that must be protected.
This phase also includes an information valuation process. Many
organizations skip this process. That is a big mistake. Establishing
a value for your assets is the only way to make certain that the
cost of the recommended safeguards properly reflect the value of
the asset to be protected. Back to top.
Security
Risk Analysis: This phase of the Information Security Management
Cycle puts structure to you threat and vulnerability environment.
Threats include natural and man-made and accidental as well as intentional
acts. The possible consequences of threats to information assets
include: unauthorized disclosure, copying, alteration, destruction,
and denial of access. Network Security Solution’s structured
Threat and Vulnerability Analysis (TVA) services assists clients
by: documenting and analyzing the relevance of information assets,
identifying relevant threats and risk scenarios, detecting inadequate
security management practices, and recommending prudent safeguards.
This is typically a two phased approach: 1) evaluating administrative
controls (e.g., policies) and, 2) evaluating technical controls
(e.g., server, firewall and wireless configurations). Network Security
Solutions also offers a methodology transfer service that is used
to coach client Information Security staff on how to conduct their
own TVA self-assessments. Back to top.
Policies,
Procedures, & Guidelines: Management is responsible
protecting information assets and informing employees of their
responsibilities.
To reduce corporate liability, this should be done through the
issuance of written policies, procedures, and guidelines. Written
communication
of security responsibilities must be presented in graduated levels
of detail to address the needs of different roles (e.g., management,
technical, administrative) within the security program of the organization.
These must also be reinforced by vibrant, continuing security
awareness
programs that constantly remind employees of important information
security risks and how they should be addressed within the
scope
of their job responsibilities. Policies should address physical,
technical, and administrative control. Typical information
security
policies include: Software, Change Control, Media, Telecommunication,
Workstation, Access Control, Passwords, Audit, Security Violations,
Risk Management, Personnel, Email, Backup Procedures, Password
Management, Access Controls, and Minimum Security Configurations
For Servers.
Another vital component of this phase is the development of a comprehensive
continuity plan (e.g., disaster recovery or business resumption
plans). The contingency planning process include a business impact
analysis, developing a recovery strategy, plan development,
and
plan testing. This testing may be accomplished in varying levels
of sophistication, ranging from simple on-site recovery of
major
computer systems to elaborate procedures involving off-site backup
file retrieval and “hot site” and “cold site”
systems. Network Security Solutions is an industry leader in recovery
plan development and testing. We use time-tested techniques that
have been validated in a wide range of industries and certified
business continuity planners (CBCP). Back to top.
Security
Design & Implementation: Information Security Policies
can only be effective if the proper designs and tools are in place.
To ensure effective implementation, security and operations must
be planned together. A well-organized approach to defining the security
tools you will use (the toolkit) is essential. This ensures that
the business process will be accomplished along with the necessary
safeguards. A comprehensive security architecture defines the physical
and administrative controls necessary to take full advantage of
technical safeguards. Several resent industry and government standards
have made this process easier to understand and implement. None
the less, getting the “maximum mileage” from built-in
security features, (e.g., network application safeguards, user identification,
password management, data access authorization, audit logs, super
user controls), in addition to essential security add-ons (e.g.,
firewalls, intrusion detection, encryption) is a continuous and
demanding job. Back to top.
Monitoring,
Audits, & Testing: It is a senior management responsibility
to ensure that proper accountability of information assets. Recent
Federal and State laws such as Gramm-Leach-Bliley, HIPAA, Sarbanes-Oxley,
and SB 1386, make it very clear that senior management may be help
liable for the compromise of information assets. Usually, a combination
of tools, full-time “internal consultants”, and occasionally
external consultants, will be needed to achieve the necessary safeguards.
Not every action needs to be monitored and recorded. Each organization
must develop its own list of “security relevant events”.
These events must be monitored. To accomplish this, every network
entry point (e.g., remote access, firewall) must be configured to
generate the necessary audit logs. This is more difficult than you
may expect. Remember, audit logs should be automatically monitored
and regularly reviewed.
In addition to monitoring and auditing, it is essential to frequently
conduct technical self evaluations of important systems. This process
will determine their level of vulnerability to “hacker”
exploits that may come from either outside or inside the organization.
This process requires the use of both hands-on hacker simulation
procedures and automated testing tools. It is designed to detect
serious vulnerabilities associated with faulty security settings
(e.g., weak passwords, under protected data, backdoor entry points)
and flawed software (e.g., running software without applying the
latest security related software patches and/or service packs).
Back to top.
The hardest part is now done, but the information security
management process must continue. Information assets will change
requiring the risk environment to be updated. Policies and procedures
must reflect those changes, and so on. As you can see from the diagram,
the process continues over time through each new iteration.
Let us help you in this process. We
have certified professionals who can help you through all or part
of the information security management cycle. Click here to contact
us, or call us today at 801.224.3194.
|
