By Ruby Bayan

Topnotch companies wield cutting-edge technology to stay ahead
of the pack. But with the breakneck speed at which technologies roll out, an enterprise’s
supposedly robust security architecture could quickly become ill prepared for the
new milieu. At the same time, technologies purportedly ready for deployment could
be ushering in new vulnerabilities and exposures.

Diana Kelley, security technology strategist at Computer Associates, and Jim Walker, adjunct
professor of computer security at Carnegie Mellon University and manager of product
marketing at ServGate Technologies,
provided some advice for keeping your security architecture efficient and at par
with the IT industry’s best practices. Further, they provided some guidance for
ensuring that your security environment remains effective as you integrate new technologies.

Start with standards, guidelines, and tools

“To ensure that a company’s security policies are in line
with best practices, the IT manager must be knowledgeable of the latest standards,”
Walker said. Security technology vendors are a good source for information regarding
standards, since their products and services most likely help companies comply with
these standards, he said.

Kelley concurred that managers must be familiar with the ISO standard and the NIST and CSI
guidelines, since these set the pace for what is considered best practice.

“Consult with knowledgeable professionals in the area for
focused and specific guidance that meets both the best practice standards as well
as the individual needs of the business,” she advised.

Walker emphasized that education is ultimately the key to assessing
one’s security policies. “The more knowledge an IT manager has about security the
better,” he said. “Having an IT support that is knowledgeable in security
and proper security constructs will help keep things in line. If the company’s IT
staff is a one-woman army, becoming aware of available analysis tools for gauging
her security practices with the industry’s best practices is imperative.”

Match the business need to the technology

According to Kelley, whenever a new technology is evaluated for
inclusion in an enterprise IT architecture, managers should first establish the
business need that will be met by the new technology: the business case for implementation
and the success metrics associated with this new technology. Then they can move
into reviewing their existing policies, management frameworks, and legacy systems
to see where the intersection points occur, she said.

“Oftentimes, new technology will cause exceptions in policy
due to legacy or other restraints,” Kelley said. “Match the business need
to the technology, to the restraints and exceptions, and revise policies and procedures
as needed.”

Kelley said it’s important to note that an entire security policy
needn’t be rewritten every time a new technology is introduced. However, the new
technology must fit in with the overall policy and management framework or have
exception handling for non-compliance, she said. Sometimes a subpolicy or an addendum
can be a good way to establish the policy for the new technology.

Scrutinize the new technology

Kelley said managers should familiarize themselves with the technology
itself and any known vulnerabilities inherent in the technology. For example, if
an enterprise is going to deploy wireless, understanding the IEEE 802.11 specification is critical,
as well as checking on the related standards, such as the Wi-Fi alliance’s WPA
and the 802.1X standard—IEEE as well, but not exclusive to wireless—which can be
used with WPA.

“Another example of a new technology that bears study before
deployment is VoIP,” Kelley said. “How does the technology work? What
are the risks? VoIP considerations would include the effect on the organization
if downtime occurs due to a DoS or poor bandwidth management.”

Kelley suggested online resources, conferences, and other educational
outlets, and the vendors who provide the new technology.

Walker said that when deploying a new technology, it is important
to review it for proper security constructs. “Find out if the new technology has undergone security certifications,
such as Common Criteria and ICSA,” he said. “These certifications
have been developed so that a common level of security could be established.”

For example, the U.S. government requires a level of Common Criteria
to be attained before a new technology is considered for deployment in any government
network, he said.

Don’t forget the details

Walker stressed attention to factors that should be considered
part of an overall security policy for the organization before and after implementing
any new technology.

He said IT managers should ask themselves the following
questions:

  • Does the
    technology require a connection?
  • If so,
    does it use only specified ports on a machine?
  • Does the
    technology’s database encrypt important information such as passwords or customer
    information—credit card numbers, Social Security numbers, etc.?

“Depending on the type of organization, it may be required
to meet regulatory compliance such as HIPAA,
Sarbanes-Oxley (SOX), or CIPA,” Walker said.

Consider security assessment and management solutions

Walker said that a good alternative to determining the robustness
of your security architecture is to outsource security risk assessment. “Many
consulting firms, such as IBM Global Services,
provide vulnerability assessment services,” he said.

However, Kelley said that if a third-party auditor finds a problem,
it’s too late. “The best practice for an organization is to use their own
management tools to proactively assess the health of the systems on an ongoing basis,”
she said. She recommended that organizations use the management tools from Computer
Associates such as the eTrust
Policy Compliance
, eTrust
Audit
, and eTrust
Vulnerability Manager
.

Keep abreast with best practices

To stay tuned in to the latest standards and best practices
on security architecture effectiveness, Kelley recommended that IT managers read
standards-based documents, such as ISO 17799,
final rulings for HIPAA and SOX, etc.

“Firms specializing in best practice controls, such as the
‘Final Four’ audit firms (KPMG, E&Y, D&T, and PWC) are also a good resource, as are industry
conferences on auditing and security such as those offered by MIS Training Institute,” she said.

However, Kelley provided one caveat: Managers must always keep
in mind that industry best practices may not always synch with business best practices.

“An effective security architecture must serve the business,”
she said. “This may require strict compliance to certain regulations, such
as SOX, but there is no single, most effective best practice for all
organizations.”