A security program consists of
policies, procedures, guidelines, and baselines. Together, they ensure,
- Definition of administrative, physical, and technical controls
- Consistent adherence to organizational security requirements
- Day-to-day management of security activities
- Definition of reasonable and appropriate security for each business critical
system
To support these
objectives, an effective security program also includes risk assessment
activities to test the effectiveness of controls. These activities include penetration testing,
vulnerability testing, and policy/procedure gap analysis. In penetration testing, either members of
your team or a third party attempts to
crack perimeter controls. Vulnerability testing checks your systems to
see if they're open to exploitation by common threats. A policy/procedure gap analysis assesses your
current policies and procedures to ensure all relevant areas of security are
included in your security program.
Finally, a good security program includes an incident response process, a topic of a future article in the Security Basics series.
There are two types of security programs - enterprise
and system/issue specific. An enterprise
security program contains the policies, standards, and guidelines providing
the general security canopy under which all systems operate. They're supported by general baselines and
procedures that apply to all facets of the information environment.
System
or issue specific security programs target individual critical systems or
organizational issues. Organizational
issues might include:
- How to define and implement business continuity
- Use of a specific methodology for change management, development, etc.
- Framework within which cutting-edge technology may be used, including
email, handheld devices, wireless networking, portable storage devices, etc.
- Regulatory compliance
- Tools and methods for managing risk
- Physical security
- Administrative security
The components of a
system or issue specific program augment the enterprise program by targeting
concerns that are unique to certain operational areas of the business.
As you might expect, the greatest direct cost
associated with the development and management of a security program is
personnel. Some organizations outsource
the complete security effort. This may
be a good option if you just don't want to be bothered with the mechanics of
data protection. However, you're still
responsible for how the outsource vendor performs, the policies put in place,
and the effectiveness of the services provided. Full outsourcing always makes me a little nervous. I like to have more control over my security
environment. It can also be more
expensive than doing it yourself if you're not careful. The biggest benefit of this approach is that
you have a professional security team monitoring your network and managing
incident response.
Another
approach is to do it all yourself. This
is not a bad way to implement security, assuming you or a member of your team
has the skills, time, and desire to build and manage a security program. For a small organization, this could also
mean a long term commitment by most or all of your IS department. Unless you're working for a large company
with a dedicated security staff, this may not be the best use of your human
resources.
A
third way to implement a security program is to engage security consultants to work
with your team to develop appropriate policies, procedures, guidelines, and
baselines. As your staff works through
the development and implementation processes, ensure that a knowledge transfer
takes place. This provides a
professionally built program and trained security analysts without committing
your entire IS team to the project. Once
the program is in place, you can outsource the parts of it more
efficiently managed by dedicated service organizations. I prefer this approach. It optimizes your in-house staff while
providing an adequate level of security to the organization.
In
addition to personnel costs, there are technical costs related to monitoring
and measuring the effectiveness of the program.
Without the right tools and processes in place, you can't continuously
improve your ability to protect your information assets while managing overall
costs. Some of the tools you may need
include:
- A port scanner
to check for server and workstation vulnerabilities
- A network scanner to identify internal and external network vulnerabilities
- Penetration testing equipment and software
- Network monitors
- An intrusion prevention system
Finally, you will need
resources to disseminate information to your staff. Employee awareness activities and employee training are key to securing your
information assets.