http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=56003 By Sheldon Gordon 6/30/2004 Companies, like the humans who make them run, are creatures of habit. Some of those habits can make information systems more secure, rather than less. There's no such thing as absolute security, of course. But the seven best practices of highly secure companies are a standard against which CEOs can measure their organizations. "If you can't afford the security, you can't afford the project," says Rosaleen Citron, CEO of Toronto-based security firm WhiteHat Inc., citing a well-known axiom in the information security industry. On the other hand, "most businesses, big or small, can't afford to defend everything," says Mary Kirwan, an independent security expert in Toronto. Indeed, they would impede their productive business activity if they tried. An effective approach to information security involves making choices. Companies must compromise, deciding what are the most important assets that need to be protected and then deploying a proportionate level of security around them. 1. Assess and audit Have a risk assessment and a regular security audit performed by an outside pair of eyes. The risk assessment creates an inventory of assets and undertakes a detailed threat assessment. It assigns ratings to threats, and proposes a list of counter-measures. The security audit is designed to show whether those measures have been adequately implemented. How "regular" a security audit should be depends on the business and how much information is being exchanged with customers and suppliers. "We're seeing most companies have an audit three or four times a year if they have a lot of online interactions with their clients," says Victor Keong, a partner with Deloitte & Touche LLP in Toronto. Also, have a consultant rather than the internal I.T. staff perform the audits. "An independent set of eyes is necessary to probe and to test what was done inside," says Mary Kirwan, an independent security expert in Toronto. "It's a conflict issue. Think of the security audit as you would a financial audit." 2. Update your security software Make sure your firewalls and anti-virus systems are up to date. Enterprises need to ensure that firewalls on the underlying operating systems are secure and that "edge-protection devices" such as anti-virus software, intrusion detection boxes and upstream routers from the ISP are up to date. "Ninety per cent of companies have these devices in place," says Keong, "so why are they still vulnerable to viruses? It's because of remote users. Their anti-virus signatures are not updated like those in the office environment." Personal firewalls must be installed on laptops and other remote computers. Keong also recommends event correlation software that will enable the IT department, when logging security-related events, to better discern when a genuine attack is occurring and then take action. 3. Put policy into place Have an IT policy that is written and enforceable and covers all the critical systems as well as employees of the enterprise. "The baseline of any security architecture has got to be policy," says Ray Gazaway, vice-president of professional security services, Internet Security Systems Inc. (ISS) in Atlanta. >From a legal perspective, the policy should prohibit pornography, conversing with competitors and circulating sexist, racist or defamatory e-mails. Beyond the strictly legal implications, however, the policy should incorporate a digital disaster recovery plan. It should address the basic issue of whom to call in the event of an emergency. The enterprise's IT department should be an integral part of writing the policy relating to IT issues, says Gazaway, "but it should be the HR group that really owns the policy. It should make sure that employees sign off that they've read it, understand it, and are aware of the consequences of violations." 4. Backup plan Have a disaster recovery plan. Denial-of-service attacks have sensitized enterprises to the danger of being knocked offline. "If your livelihood is coming off e-commerce, you had better have that [Web site] backed up, just as you do your data," says Citron. "Back it up at least once a week so that you've always got the latest version." But digital disaster doesn't only take the form of deliberate attacks on IT assets, she cautions. The disaster recovery plan has to anticipate unintentional disruptions such as last August's power failure and the SARS crisis. "I've seen data centres burn down, and we go to the hot site, and away we go," says Citron. "But we'd never seen a situation where companies had to sequester work groups. Companies immediately had to layer security onto notebooks that hadn't been used before but now were needed to enable people to work from home." 5. Train and authenticate Minimize the internal threat by properly training and authenticating employees. Enterprises should have not only a policy but also an awareness program informing employees not to open e-mail attachments from unknown sources and not to bring in disks from home. In addition, firms need to have rigorous authentication and access policies. "We're still seeing a lot of very poor password procedures in place," says Gazaway. Companies should make employees change their passwords at least monthly -- and explain why. Role-based access to systems is another important safeguard. "There needs to be a concerted effort in a corporation to say, 'This employee is only working in this particular role and should only have access to this particular group.' It's amazing how often we see new employees come to a corporation and get access to everything. There's no reason for a person working in a mailroom to have access to financial records or HR records. It's a question of who needs to have access and why. And that needs to be reviewed on a regular basis." 6. Encrypt your data The use of encryption technology has become widespread in enterprises for e-commerce transactions and wireless communications, but not for stored data. "Encryption of the data at rest is just as important as encryption of the data in transit," says Mark Fabro, chief security scientist with AMS Information Security Services Group in Fairfax, Va. Not only has stored data become more susceptible to exposure due to open networking requirements, says Fabro. In addition, stored data tends to be in an aggregated format that, when considered together with other data, can have a much more harmful impact if compromised than data in transit. "The overall asset value of what is being encrypted will dictate the level of encryption that needs to be deployed to secure the data," says Fabro. "If the information is valuable for one week and it would take a dedicated attacker only half a week to decrypt it, then that encryption is not the right one to use." 7. Report to the CEO Appoint a chief information security officer (CISO) to be responsible for IT security. Ideally, the CISO shouldn't report directly to the chief information officer. A tangential relationship is necessary because the CISO's recommendations will be implemented through the activities of the CIO. "The direct reporting should be to the CEO, because it is the CISO who is ultimately going to be responsible for the crafting of information security policies," says Fabro. "And those policies will only be effective if they have top-level buy-in. It is not the CIO who is going to be pressing adherence to an information security policy. It is going to be the highest representation of the company." That should not be the board of directors, however, because employees may not fully grasp the importance of boards, Fabro says. _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Wed Jun 30 2004 - 09:50:38 PDT