Business information exists in a complex ecosystem, teeming with a multitude of technologies, regulatory requirements, standards, business processes, vendors, security threats, system vulnerabilities, and market pressures. This information moves through elaborate workflows across networks, multiple applications, databases, servers, and across political boundaries. In today’s world, much of this information has to meet the three information security tenets: availability, integrity and confidentiality.
Availability means that information must be available in a timely manner by those who need it. Integrity means that information is complete and free from tampering and confidentiality means that information must be secured from unauthorized access.
The following steps provide guidance for implementing an enterprise security program (ESP), a holistic approach to IT security.
Step 1: Establish Information Security Teams
In his book Good to Great, Jim Collins extols the virtues of having the right people on board before embarking on any corporate journey. The ESP journey is no different. Broadly speaking, the company needs to form two teams: the executive team and the cross-functional security team. The executive team is responsible for establishing the mission, objectives and goals for the ESP, and is usually comprised of senior-level executives. This team is also responsible for setting top-level security policies, establishing organization risk thresholds, obtaining funding for the ESP, and creating the cross-functional security team.
The cross-functional security team, itself made up of sub-teams, is responsible for day-to-day IT security operations, which include managing IT assets, assessing threats and vulnerabilities, managing risks, establishing policies, setting up procedures and controls, conducting internal audits, and providing training.
Step 2: Manage Information Assets
Managing information assets starts with conducting an inventory. This inventory should document hardware, applications (both internal and third party), databases, and other information assets (e.g., network shared folders, ftp sites etc.). Once the inventory is complete, each asset must be assigned an owner and/or a custodian. An owner serves as a point of contact for the assigned asset, whereas a custodian has responsibility for the stored information.
The assets are then categorized into different levels of importance, based on the value of the information contained in them and the cost to the company if an asset is compromised.
Regulations are mandatory, legal requirements. Healthcare providers must implement Health Insurance Portability and Accountability Act (HIPAA) guidelines, and most companies in financial services must implement Gramm-Leach-Bliley Act (GLBA). Standards—such as Payment Card Industry (PCI), ISO 27001—are industry best practices. The executive team determines which regulations and standards must be implemented.
Step 4: Assess Threats, Vulnerabilities and Risks
Threats are sources of danger to information assets. It is important to list all the pertinent threats, categorize them, and rank them based on their importance. Vulnerabilities are weaknesses or flaws in the system that can be exercised, inadvertently or intentionally, to cause a security breach. Vulnerabilities exist in people, processes, and technologies. Making a list of applicable vulnerabilities and ranking them based on their impact to the organization is advisable.
Risks are possible events or conditions that could have undesirable outcomes for the organization. Risks occur at the intersection of threats and vulnerabilities. For example, the technological vulnerability in Microsoft Outlook combined with the vulnerability resulting from people opening unknown attachments can be exploited by the threat of the Mydoom virus to create the risk of loss of network bandwidth.
Step 5: Manage Risks
Risk management focuses on avoiding, mitigating or transferring risks. It starts with a list of risks which are categorized according to the likelihood of their occurrence and their impact to the organization. The likelihood and the impact together determine how these risks are prioritized. A high-impact risk with a high likelihood of occurrence is a high-priority risk to the organization.
Once the risks are prioritized, they can be dealt with in one of several ways. For example, the risk of attack by the Mydoom virus can be avoided by using Lotus Notes instead of Outlook, mitigated by installing the latest anti-virus software and training people not to open suspect attachments, or transferred by contracting with a third-party vendor to provide all e-mail needs.
Step 6: Create an Incident Management and Disaster Recovery Plan
Security breaches, unintentional loss of IT assets, accidental deletion of critical data, or power outage in a data center are examples of incidents. A good incident response plan clearly identifies what needs to be done, for the most common incidents.
Incidents that are catastrophic in nature call for a disaster recovery (DR) plan. Following the 9/11 attacks and Hurricane Katrina, several affected businesses with no such plan in place were unable to resume business.
Step 7: Manage Third Parties
The complex ecosystem of information frequently includes third parties such as vendors, suppliers, and intermediaries. Insecure networks or practices in third-party companies that are connected with a business can create exploitable security loopholes.
A good starting point is to list all third parties that a company is doing business with and prioritize this list based on the extent of information overlap or sharing, and the criticality of the information. The company can then proceed to find out what security measures are in place at the third party and mandate any necessary controls. Also read, 5 Security Questions to Ask Your Software Vendor.
Step 8: Implement Security Controls
Controls are measures that are put in place to mitigate or eliminate risks. Technical controls are safeguards that are incorporated into computer hardware, software or firmware (e.g., access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion-detection software). Nontechnical controls are management and operational controls such as security policies, operational procedures, and personnel, physical and environmental security.
Controls are usually categorized into preventive controls and detective controls. Preventive controls inhibit attempts to violate security policy, whereas detective controls warn of violations or attempted violations of security policy.
Step 9: Conduct Training
An often ignored step, training employees on security is the key to enforce an ESP. All manner of technology safeguards and security measures do not mean anything if employees are careless about their laptops, connect to insecure networks outside of the workplace, or are unaware of what constitutes suspicious behavior.
Step 10: Conduct Audits
Internal audits ensure that policies and procedures are in place and are effective, controls have been implemented, legal regulations and mandatory compliance requirements are being met, risk is being managed, various security plans are being updated on a regular basis, and training is effective.
External audits are sometimes mandatory to comply with regulations. External audits bring in a neutral third party to provide an unbiased security assessment and recommendations on bridging security gaps.
Information security is no longer a concern of just the IT department. Given the increasing complexity of the ecosystem in which information resides, the criticality of that information to the business, and the growing number of security threats, information security has become the concern of the entire organization. An effective ESP is an organization-wide effort to deal with IT security holistically.
Yesh Dattatreya is the delivery director at MDI Group, and has more than nine years of experience in developing and implementing large transformational IT projects. His most recent project was an IT security consulting project at a large national hospital group.