Security Basics - Overview of the Security Program

A security program consists of policies, procedures, guidelines, and baselines. Together, they ensure,

1. Definition of administrative, physical, and technical controls
2. Consistent adherence to organizational security requirements
3. Day-to-day management of security activities
4. Definition of reasonable and appropriate security for each business critical system

To support these objectives, an effective security program also includes risk assessment activities to test the effectiveness of controls. These activities include penetration testing, vulnerability testing, and policy/procedure gap analysis. In penetration testing, either members of your team or a third party attempts to crack perimeter controls. Vulnerability testing checks your systems to see if they're open to exploitation by common threats. A policy/procedure gap analysis assesses your current policies and procedures to ensure all relevant areas of security are included in your security program. Finally, a good security program includes an incident response process, a topic of a future article in the Security Basics series.

There are two types of security programs - enterprise and system/issue specific. An enterprise security program contains the policies, standards, and guidelines providing the general security canopy under which all systems operate. They're supported by general baselines and procedures that apply to all facets of the information environment.

System or issue specific security programs target individual critical systems or organizational issues. Organizational issues might include:

1. How to define and implement business continuity
2. Use of a specific methodology for change management, development, etc.
3. Framework within which cutting-edge technology may be used, including email, handheld devices, wireless networking, portable storage devices, etc.
4. Regulatory compliance
5. Tools and methods for managing risk
6. Physical security
7. Administrative security

The components of a system or issue specific program augment the enterprise program by targeting concerns that are unique to certain operational areas of the business.

As you might expect, the greatest direct cost associated with the development and management of a security program is personnel. Some organizations outsource the complete security effort. This may be a good option if you just don't want to be bothered with the mechanics of data protection. However, you're still responsible for how the outsource vendor performs, the policies put in place, and the effectiveness of the services provided. Full outsourcing always makes me a little nervous. I like to have more control over my security environment. It can also be more expensive than doing it yourself if you're not careful. The biggest benefit of this approach is that you have a professional security team monitoring your network and managing incident response.

Another approach is to do it all yourself. This is not a bad way to implement security, assuming you or a member of your team has the skills, time, and desire to build and manage a security program. For a small organization, this could also mean a long term commitment by most or all of your IS department. Unless you're working for a large company with a dedicated security staff, this may not be the best use of your human resources.

A third way to implement a security program is to engage security consultants to work with your team to develop appropriate policies, procedures, guidelines, and baselines. As your staff works through the development and implementation processes, ensure that a knowledge transfer takes place. This provides a professionally built program and trained security analysts without committing your entire IS team to the project. Once the program is in place, you can outsource the parts of it more efficiently managed by dedicated service organizations. I prefer this approach. It optimizes your in-house staff while providing an adequate level of security to the organization.

In addition to personnel costs, there are technical costs related to monitoring and measuring the effectiveness of the program. Without the right tools and processes in place, you can't continuously improve your ability to protect your information assets while managing overall costs. Some of the tools you may need include:

1. A port scanner to check for server and workstation vulnerabilities
   
2. A network scanner to identify internal and external network vulnerabilities
3. Penetration testing equipment and software
4. Network monitors
5. An intrusion prevention system

Finally, you will need resources to disseminate information to your staff. Employee awareness activities and employee training are key to securing your information assets.