Ch05 Planning Enterprise Information Security

Planning Enterprise Information Security

Planning Enterprise Information SecurityIn This ChapterUnderstanding the risk of data breachesPlanning to protect information assetsDevising a security policyEmploying security technologyInformation Has ValueHow costly the following events might be to a business :An Internet-based retailer experiences problems with Web services, preventing customers from placing orders.A file is copied to the wrong server, resulting in proprietary information being available on a companys public Web site.A programming team is tasked with making critical changes to a legacy production application, but the source code was lost months ago.A company loses several weeks worth of billing data after a server crash. Although the data was scheduled to be backed up, the error messages in the backup log files were missed, or the backup was untested and failed during recovery.Network connectivity issues prevent call center customer service personnel from accessing customer data.Without proper planning and organization, your organization risks not only data loss, but also the capability to use data as required.Protecting Enterprise DataCommon ways in which data is revealed :Theft of equipment (particularly laptops) containing unencrypted informationEquipment discovered missing during periodic inventory checksConfidential data posted to a companys public Web site or inadequately secured accessible locationImproper disposal of data processing equipmentAccidental exposure through e-mailCreating a Security PlanDesign a workable programUse a layered frameworkImplement security standardsView security as a program, not as a projectKeep security simpleDesign a workable programThe key to success for any enterprise architecture initiative is having a clear, well-developed security program with identified requirements and attainable goals. Breaking your program into smaller manageable projects ensures :new technology meets your organizations needs before full implementation; establishes clear, distinct goals that can be easily conveyed to the technology implementers; reduces users fear of change by taking things one step at a time.Its also critical to ensure that expectations are reasonable, starting from the top of the organization. Executives must have a firm grasp of project goals to guarantee funding and to communicate those goals to middle management and rank-and-file employees.Use a layered frameworkDataApplications that access the dataHosts on which the applications and data resideNetwork on which the hosts residePerimeter separating your organizations network from the public networkFacility housing the computing equipment

Implement security standardsISO/IEC 27000 series, published by the International Organization for Standardization (www.iso.org)Systems Security Engineering Capability Maturity Model (www.ssecmm.org)The Standard of Good Practice for Information Security, published by the Information Security Forum (www.isfsecuritystandard.com)Special Publication 800 standards, published by the U.S. National Institute of Standards and Technology (csrc.nist.gov)Federal Information Processing Standards (www.itl.nist.gov/fipspubs)View security as a program, not as a projectProjects have a beginning and an end, but programs are continuous. The completion of the firewall installation project does not mean that your organizations network will always be protected. Firewalls and other security appliances and tools require ongoing maintenance and attention to ensure that they remain effective.Attackers are continuously looking for vulnerabilities and developing methods to exploit them. Thousands of viruses are released every year, along with many other assaults. It isnt much of an exaggeration to say that by the time you say, The network is now secure, a new virus or other technique for exploitation has been developed or a new vulnerability discovered.Security is a constant game of cat-and-mouse. The enterprise, as the defender, has a limited set of tools and finite resources for protecting the environment, while there are countless numbers of attackers with access to (almost) limitless attack tools that vary in scope, complexity, and sophistication.Keep security simpleWith security, you can have too much of a good thing. You must find the proper balance between security and usability, or risk having users bypassing controls in order to perform their jobs. For example, password policies that call for frequent expiration of complex passwords may lead to users writing down passwords and storing them in convenient (but insecure) places.IT security professionals can also suffer the effects of too much complexity. They often want to log and monitor everything, which can be detrimental to the health of the network without the proper tools to filter those logs into usable data. You could compare logs to surveillance footage from security cameras: Theyre excellent after-the-fact investigation tools, but without the proper detection and alert capabilities they do little to prevent an incident from occurring.Developing a Security PolicyClassifying data to be securedAddressing basic security elementsGetting management approvalMaintaining the policyTraining employeesClassifying data to be securedYou need to know the type of information that is on your network before you can dictate policies regarding its security. If youve selected an IT governance framework , its likely to have a specific process for data classification. At a minimum, the data storage survey should reveal enough information for you to classify your organizations data by business function, sensitivity, owner, and known security requirements based on legal or contractual mandatesAddressing basic security elementsAdministrative accessThe security policy should contain rules that govern the creation, use, and management of accounts with administrative access.Acceptable useThe policy should include an acceptable-use policy so that appropriate use of technology is clearly definedAuthorized softwareThe policy should cover procedures for software installation, including whether end users are allowed to install software on their own.Data disposalThe policy dictates the procedures to follow when disposing of storage media that may contain data. Addressing basic security elementsEncryptionThe security policy should establish the appropriate use of encryption as well as approved mechanismsFirewallRules for how the organizations firewalls will manage network traffic should be incorporated into the policy, including procedures for updating and changing rules.Incident managementThe security policy should include clearly defined procedures for security incident handling and reporting.Addressing basic security elementsMalwareThe policy should indicate anti-malware software requirements, including configuration, definition updates, scanning frequency, and procedures to follow in the event of infection.PasswordsThe policy should state the organizations requirements for creating and managing passwords. Remember to include requirements for administrative and service account passwords. Server and workstation hardeningThe policy should provide guidance on necessary security controls for base installations of servers and workstations, appropriate to whatever platforms are in use. This policy can include items such as removal of unnecessary services or changing default passwords.

Addressing basic security elementsSocial engineering awarenessSocial engineering is a term used to describe a variety of psychological techniques directed against people, such as manipulation, deceit, or impersonation. The security policy should take social engineering into account when addressing relevant policy elements such as passwords, social media, and telephone procedures.Social mediaThe policy should specify how the organization uses social media and how employees are expected to represent the organization on social networking sites.Telephone proceduresThe policy should include what type of information can be provided over the telephone and under what circumstances.Waste disposalBecause attackers can gain valuable information from corporate trash, proper waste disposal must be addressed.

Getting management approvalIt ensures that those who control the finances understand that security is important and must be budgeted for.It lets employees know that security is a valid business concernMaintaining the policyEmerging security threatsChanges in business functionality or data classificationImplementation of new technologyMergers and acquisitionsSecurity incidentsTraining employeesAfter the policies are in place, employees must be educated about the policies and the reasons behind them. They must also have clear instructions for reporting suspicious behavior or events. This training should be conducted regularly, to help keep employees alert and up-to-date on new procedures.Employee training can be performed electronically using existing information portals, or in person in small units or larger classes. Having properly trained staff leading these events is critical in order to increase the likelihood of employees both understanding the presented material and accepting the trainings validity. Larger organizations usually have training staff available through their human resources office. An organization lacking experienced training staff should consider hiring an outside firm to provide this support.Issues may come up in training sessions that arent addressed in the security policy. Trainers should note these issues in an after-action review so that the related policies can be reviewed and updated, if necessaryUsing Technology to Support Security OperationsUse collaborative technologiesRemain flexiblePlan for partner relationshipsOutsource only when necessaryUse collaborative technologiesCollaborative technologies can be of tremendous assistance during any project, from something as simple as a server upgrade to a complete migration of technology from one platform to another. These technologies include :E-mail and messagingDiscussion boards and wikisScheduling and task managementConferencing (Web, voice, and video)Use collaborative technologiesThe architect must ensure that these solutions are in place before beginning a security project so as to promote open communication among all stakeholders. Collaboration tools can serve toCommunicate new security policiesAnnounce potential threatsDetail how to address, report, or respond to these risksRemind users of their responsibilities with regards to securityProvide a mechanism for security incident reportingRemain flexibleMaking changes to production architecture is difficult, at best, particularly with regard to mission critical architecture. In a production environment, you should expect that there have been changes to the resources involved since the initial review was conducted, and plans must be updated accordingly in order to avoid disruption of services.Flexibility is just as necessary for long-term planning, but remaining adaptable becomes more complex as the environment fluctuates from year to year due to changes in technology, operations, business focus, and regulatory or legislative mandates..Inclusion of entirely new vistas of computational capability can require significant changes to existing strategies and policies.Plan for partner relationshipsIncreasingly, organizations are entering into partner relationships with other businesses, customers, vendors, and others that all require some type of integrated external connectivity and information sharing. Examples include vendor-managed inventory systems, joint ventures, automated shipping management, and clearinghouse functions (such as billing and account management).You must be aware of partner relationships and how they may affect your enterprise, particularly with regard to connectivity and security. Enterprises cannot afford to be blindsided by unforeseen IT requirements due to new regulatory mandates or other requirements imposed on the business due to a partner relationship.When is outsourcing security a good idea?Although you cant transfer liability, it may be cost-effective for some organizations to consider outsourcing individual security functions that are laborious or that require specific skills not available within the organization. Surprisingly, some security functions, particularly those that are time consuming, lend themselves well to outsourcing. When is outsourcing security a good idea?...Outsourcing security functions modelsSecurity as a service: Economy of scale is used to offer services and products to organizations at substantially lower costs than if the organization had to make the purchase itself. The products and services are owned by the provider and delivered and managed remotely on a pay for use or subscription basis. Antivirus products, managed e-mail products, and log management services fit into this model. Log management, especially in large organizations with extensive logging capabilities, may be a candidate for outsourcing in order to have access to more robust log management software and 24x7 monitoring.Managed security services: The hardware or software involved may be owned by either the organization or the provider, but are managed remotely by the provider. These services are more likely to be customizable, and include offerings such as vulnerability scanning, virtual private networking, and firewall management. Smaller organizations may find firewall management to be exceptionally cost effective due to the significant amount of technical expertise that is required to implement and maintain the system.Outsource only when necessaryExecutives often find it tempting to outsource IT services, particularly those in which hardware purchases are required, in order to reduce costs. Technology may become obsolete before its fully amortized and a company may want to move the costs from the capital budget to the operating budget for accounting purposes. Due to the dynamic nature of information technology, this years state-of-the-art firewall could be next years state-of-the-art doorstop.Data processing and software development are also commonly outsourced functions, but that has the potential to carry significant risk. It should be done only when necessary and then only after carefully reviewing the laws and rules that apply to the data involved in those functions.The decision to outsource should not be taken lightly or made quickly because it is often easier to streamline local operations than to return operations in-house after an outsourcing failure. Recommend outsourcing only when its truly necessary to avoid adding complexity or excessive cost to