Editor’s note: This is a guest post by Bernard Wanyama. Bernard is a Director at SYNTECH Associates and has more than ten years of experience in enterprise IT.
I would like to share few of my thoughts regarding the important things that can be done to implement security mechanisms in a typical organisation that relies on IT for its day-to-day operations.
All security initiatives should begin with some form of assessment to determine what you are up against so as to shape the nature of the response.
In the risk assessment, the aim is to look at the relevant risks and try to determine their probability of occurring and the impact they will have to the organisation if they occur.
Activities here include collecting an up-to-date inventory of your information assets, equipment, users and then looking at potential problems that can arise in your environment.
Standard information system risks include data loss, unauthorised access to systems, denial of service (slow down or even total outage), inability to process information or transact, etc.
Of course, the higher level risks that bite you when the simple risks manifest will include regulatory action (telecom, banking or insurance sector regulator fines or licence revocation), reputational risk, financial loss, etc.
Ultimately, the organisation will require a formal basis for justifying investment and adoption of a particular security strategy. The risk assessment delivers such a formal starting point. Given that business and associated risks evolve daily, there should be mechanisms to refresh existing risk assessment documents at appropriate intervals.
Development of an Information Security Programme
The next logical step is to come up with a formal plan that identifies the key security issues that are relevant to the organisation together with the mechanisms that have been put in place to ensure that these issues do not manifest, or if they manifest, the impact is manageable – risk mitigation.
This programme should be adopted at the highest level of the Board and Executive Management to ensure that it gets the right level of visibility, priority and funding.
Development of policies and standards allows the organisation to define in its security goals in clear business and technical language.
An annual security plan should also be drawn up to guide the implementation of information security initiatives.
Below are some standard aspects of an information security programme
Incident Detection and Response
Key systems should be monitored for intrusions attempts and sensitive operations on a real time basis, to ensure that the systems and information they hold are protected constantly. In the event that a breach occurs, the detection and response should be timely so as to minimise the damage. The organisation should consider deploying technology such as log management, database auditing, Intrusion prevention systems, honey pots, DDoS prevention and SIEM (Security Information and Event Management) to deliver this kind of capability.
Education & Awareness
This is perhaps the most underlooked aspects of information security. End users must know their responsibilities and how to behave in different situations. Security risks must be translated into relevant real-world examples. I have encountered situations where co-workers shared passwords in order to serve customers without interruption, only to end up in jail when one of them betrayed the trust of his colleagues.
Security policies should be simplified and circulated through regular face-to-face trainings with quizzes and sign offs to ensure that end users can cope with risks that manifest at their workstations.
Data loss stands out as a top risk across the entire horizon of IT operations – from personal to SMB to Fortune 500 enterprises. Back up your data frequently and test your backups.
Backups should also be encrypted and kept safely away from the systems that hold the live data.
At a personal level, some people use Dropbox while others use sync tools like One Drive, iCloud and Google Drive. Whatever your level of operations, always ensure that backups are taking place and that they are regularly tested for reliability.
A few years ago, the risk on most networks was perceived to be outside the perimeter, i.e. from the Internet and in some cases, links to off-site facilities and VPNs to partners.
Today, the risk knows no borders and the insider threat now accounts for more than 58% of security incidents, according to a 2013 study by Clearswift.
Briefly, it is important for the organisation to have a robust endpoint security platform that handles antivirus, anti-malware, encryption, intrusion prevention and device management for all platforms, especially laptops and smartphones. If important data resides on a device, then that device must be under your control. An effective endpoint security solution also has the ability to enforce policies that protect users from making wrong moves – such as connecting to open wireless networks, accessing infectious websites or even copying company data onto USB drives without encrypting it first.
In many ways, modern endpoint security solutions address a great majority of user-side risks and are therefore a must-have.
Logs & Reports
Lots of things happen on the network all the time. It is important to have visibility into logs and events generated by critical infrastructure elements such as switches, routers, wireless access points, firewalls, etc. Having a logging and reporting platform (better know as a SIEM) will allow you to get the right information in the right format at the right time.
Secure your network ports to manage connections from non-company devices – employees, contractors and guards an all introduce compromised laptops and smartphones unknowingly or even knowingly. The standard things like CCTV, biometric locks, environmental monitoring, engraving and Kensington-style locks are important.
It is a best practice to encrypt data, be it at rest or in motion. Secure applications with SSL certificates (TLS) for websites, email and database connections. Network links should be secured with SSL or IPSec VPN. Wireless of course must be secured with WPA2 pre-shared keys or WPA2 802.1x (RADIUS backend) – avoid connecting to open wireless networks.
Tapes and external disks should be encrypted, just like laptops and smartphones.
You can follow me on Twitter: @SyntechUG and @bmwanyama or Web: www.syntechug.com