Security basics: What to include in your IT security plan
By Samuel Greengard
Too often, midsize companies focus strictly on technology rather than on taking all the steps necessary to lock down the IT environment in a crisis. If you take the time to understand business processes, procedures, and workflow, you will be in a better position to provide the IT security your organization needs.
In Summary:
- Conduct a thorough assessment of business assets, processes, workflows, and job functions.
- Prioritize assets and match security solutions and policies to risk levels.
- Seek input from individuals across the enterprise, and develop a common vision and approach.
Just as security threats differ from organization to organization, so should security strategies. A company that does all of its business online or has a high percentage of mobile workers will have different security needs than a retail chain, for example. Different company cultures may also dictate how you implement security solutions. For example, an organization with a large percentage of workers under the age of 30 might need to invest more heavily in security education and training to prevent its "power users" from disabling your network through insecure practices.
A thorough upfront analysis — one that conforms to your business plan — can help build a foundation for an effective and cost-efficient security strategy.
Everybody has a different threshold of pain. The loss of important e-mail messages could endanger a law firm's work and undermine client relationships, for example; for a health-care organization, the exposure of a single medical record might lead to bad press and severe penalties under the Health Insurance Portability and Accountability Act (HIPAA) and other regulations.
Recognizing your company's "threshold of pain" is an important part of your security strategy because it forces you to identify the areas that are mission-critical to your business.
Identify physical assets
The first — and perhaps easiest — step in your security analysis is to identify your company's IT assets, including such physical assets as notebook computers and portable storage devices. Once you know what you have and what you need to protect, you can recommend appropriate solutions and processes, including systems and network configurations, patch management, and hardware and software upgrade paths.
Assess your business processes
Next, analyse your business processes with security in mind. An organization must know where data is kept, how employees store information, and how it is exchanged internally and externally. For example, employees may rely on low-security applications such as instant messaging to exchange files with others inside and outside the business, or they may store proprietary data on a notebook computer without encrypting it. Such activity calls for new policies from the IT department so that employees don't unwittingly compromise sensitive corporate data.
An upfront assessment of core processes — with input from cross-functional teams — goes a long way toward identifying weaknesses and potential failure points. Say you review your company's employee termination process (including access to systems and data) and discover that there's no mechanism to ensure that a line manager or human resources submits forms to revoke system access and e-mail privileges. By making this procedure mandatory — and building in the proper workflow — it's possible to eliminate days, weeks, or months of unauthorised access.
Rank your security needs by importance
After you have finished your business-process analysis and made any changes necessary, it's time to prioritise security needs. A basic numerical rating system that ranges from 1 to 3 (low, medium, and high) should provide a starting point to determine which systems and assets are most important. Rate the impact of events resulting from a security breach (such as network downtime or financial costs) on that three-point scale. The resulting matrix should provide insight into what demands the highest priority.
More tips for developing a plan that makes a difference
-
Focus on events, not timelines. Although it's often wise to develop a detailed
one-, two-, or five-year plan for IT security, know that security is a moving target. New technologies and new threats are constantly emerging. Therefore, focus on policies and procedures that maximize flexibility and accountability, and review your plan on a regular basis. - Define security responsibilities across the organization. Embed them in job descriptions to make security management real. For example, a sales manager may need to carry a notebook PC with customer records and other sensitive data. That individual should be responsible for protecting the data — through encryption, authentication, and other methods.
- Outline a series of steps to follow during a security incident. This can help prevent employees from panicking in the heat of the moment. After any incident, set up a debriefing session with managers and key security staff members to discuss what worked and what didn't work.
- Match the solution with the risk. "Once a business understands its risk profile and what assets it needs to protect, it can set up appropriate controls," explains James Quinnild, a partner a PricewaterhouseCoopers in Minneapolis. For a financial institution, for instance, tools that scan outgoing data for certain numerical strings, such as account numbers or a Social Security number, might top the list. For a call center operation, applications that block incoming e-mail attachments might prevent malware from shutting down critical operations
- Develop a security approach that's flexible but enforceable. "You don't want to prevent people from doing their work and you don't want to undermine productivity," Hasson says. For instance, it may be necessary to let certain employees use portable flash memory devices to carry data with them. IT's job is to ensure that those employees have access only to appropriate data for their job role, as defined by their managers. Striking a balance between practicality and security is a delicate matter, especially as organizations become larger and their IT infrastructure becomes more complex. Technologies such as Microsoft Windows Server 2003 Active Directory can help manage roles and responsibilities.
- Finally, monitor systems and log files on a regular basis. This helps to identify potential problems and respond to changes quickly and efficiently.
While there's no simple way to address security concerns in today's business environment, a thorough assessment process and business-aligned security plan are the best bet to reduce risk. "Sound security practices are never an accident," Cobb concludes. "They're the result of careful and thoughtful analysis, and they involve all corners of an organization."