By Louis Nel, MSCE
We all claim to understand the importance of network security. We stand around water coolers chatting about this worm, that newly discovered security hole, this patch, and that hot fix. As IT managers, we know it’s our job to ensure that all the latest patches are not only applied, but applied immediately. And thank goodness for antivirus autoupdates and firewalls.
But a proper security requires much more. It necessitates a systematic, structured approach; without one, your design might end up with many gaping holes.
According to the paper, "Best Practices for Enterprise Security", which appeared on Microsoft Technet:
“The term computer security is a generalization for a collection of technologies that perform specific tasks related to data security. Using these technologies effectively to secure a corporate network requires that they be integrated into an overall security plan. The planning process for their proper implementation involves:
- Gaining a detailed understanding of the potential environmental risks (for example, viruses, hackers, and natural disasters).
- Making a proactive analysis of the consequences of and countermeasures to security breaches in relation to risks.
- Creating a carefully planned implementation strategy for integrating security measures into all aspects of an enterprise network, based on this understanding and analysis.”
Not only will a structured, well-planned approach save you more time than you invested in the planning, it might well save your job.
Do a risk assessment
To secure a network, you must first do a thorough risk/threat assessment. That’s easier said than done, but it need not be an insurmountable task, either. All you need is the right approach. The important thing to remember is that this is not a one-person show (or even an IT department show). To get the bigger picture—as well as all the little details—you’ll have to consult widely within the company.
First, get an executive with clout on your side—someone who can back your efforts. It will make it clear to all involved that this is not just “another IT department thing,” but an initiative with the blessing of the “powers that be.” It might just make some busy manager a little more cooperative.
Now sit down and think. Draw up a detailed list of questions you need answers to. Run that by colleagues and peers. But always remember to keep the list “open”—always ask the people you’re interviewing what else they can think of or would like to add. You might be surprised what someone comes up with.
Start with the general and work your way down to the particular. Ask yourself—and the executives, managers, and department heads—about your company’s business plan. Your company’s annual report is a useful and often overlooked source for such information (and a good overview of your company structure).
A hint: Don’t simply distribute a questionnaire with a deadline slapped onto it. You’ll most likely get back a rushed response, probably even delegated to someone who doesn’t have all the answers (or the time or inclination to answer). Set up meetings and interview people. This strategy has the added bonus that it will get them thinking about security—even after you’re gone.
Weigh the value of the asset
When doing risk assessment, always keep in mind that to determine the risk, you have to determine the value. The more valuable the asset is, the greater the need for its security. This may seem pretty obvious, but it’s something that people often lose sight of. It’s also not always obvious what those “assets” are.
Here’s an example: A consultant interviewed the CEO of a large corporation. At the end of a fruitful discussion, both were pretty certain they had it all covered. It was over coffee that the CEO proudly revealed that his company is working on a new product that’s sure to take the market by storm. Further investigation by the consultant revealed that engineers working on the product carried around highly confidential information relating to the product development on their laptops—unencrypted. E-mail relating to the project was not encrypted either.
Once you have the bigger picture about your company’s structure, business processes, communications, assets, and so on, you’ll have a good idea what needs to be secured. Now is the time for the IT department to sit down and discuss the best ways to secure those assets and processes. Also, establish immediate, short-term, medium-term, and long-term goals.
It’s also the time to determine the need for training. Is your IT department up to all the tasks, or is training needed?
Once implemented, monitor the security set-up on an ongoing basis. And review your security plan regularly, because as companies change, so does the security landscape.
Security plan summary
- Get backing
- Plan before you start
- Have a structured, but open-ended approach
- Consult widely
- Revisit, review, and redo