With security one of their highest priorities, executives are searching for effective techniques to deliver maximum security while simplifying security management. This outline explains what you’ll need to focus on.
Security management deals with how system integrity is maintained amid man-made threats and risks, intentional or unintentional. Intentional man-made threats include espionage, hacks, and computer viruses. Unintentional threats include those due to accidents or user ignorance of the effects of their actions. Security management ranges from identification of risks to determination of security measures and controls, detection of violations, and analysis of security violations. I’ll describe the steps involved in security management and discuss factors critical to the success of security management.
Step 1: Determine and evaluate IT assets
Three types of assets must be identified.
Physical
Information
The information category includes sensitive data pertaining to the company’s operations, plans, and strategies. Examples are marketing and sales plans, detailed financial data, trade secrets, personnel information, IT infrastructure data, user profiles and passwords, sensitive office correspondence, and minutes of meetings. Recently, concern has also risen about protecting company logos and materials posted on the public Internet.
People
The people category includes vital individuals holding key roles, whose incapacity or absence will affect the business.
After you identify company assets, the next step is to determine their security level. Depending on the company’s requirements, assets may be classified into two or more levels of security. I recommend two levels for organizations with minimal security threats: public and confidential. A three-level security classification scheme can be implemented if security needs are greater: public, confidential, and restricted.
Be wary of having too many security levels; this tends to dilute their importance in the eyes of the user. A large multinational IT vendor used to have five levels of security: public, internal use only, confidential, confidential restricted, and registered confidential. Today, it has cut down to three: public, internal use only, and confidential. Employees were confused about the differences among the secured levels and the procedures associated with each one. Having too many security levels proved expensive in terms of employee education, security facilities, and office practices—the costs were often greater than the potential losses from a security violation.
Step 2: Analyze risk
Every effective security management system reflects a careful evaluation of how much security is needed. Too little security means the system can easily be compromised intentionally or unintentionally. Too much security can make the system hard to use or degrade its performance unacceptably. Security is inversely proportional to utility—if you want the system to be 100 percent secure, don’t let anybody use it. There will always be risks to systems, but often these risks are accepted if they make the system more powerful or easier to use.
Acceptance of risk is central to good security management. You’ll never have enough resources to secure assets 100 percent; in fact, this is virtually impossible even with unlimited resources. Therefore, identify all risks to the system, then choose which risks to accept and which to address via security measures. Here are a few reasons some risks are acceptable:
After you’ve identified the risks, the next step is to determine the effect to the business if the asset is lost or compromised. By doing this, you get a good idea of how many resources should be assigned to protecting the asset. One user workstation almost certainly deserves fewer resources than the company’s servers.
The risks you choose to accept should be documented and signed by all parties, not only to protect the IT organization, but also to make everybody aware that unsecured company assets do exist.
Step 3: Define security practices
Define in detail the following key areas of security management:
Step 4: Implement security practices
At this phase, implement the security measures defined in the preceding step. You can do this in stages to make it easier for everybody to adapt to the new working environment. Expect many problems at the start, especially with respect to user resistance to their security tasks, such as using passwords. Staged implementation can be performed:
Step 5: Monitor for violations and take corresponding actions
An effective security management discipline depends on adequate compliance monitoring. Violations of security practices, whether intentional or unintentional, become more frequent and serious if not detected and acted on. A computer hacker who gets away with the first system penetration will return repeatedly if he knows no one can detect his activities. Users who get away with leaving confidential documents on their desks will get into bad habits if not corrected quickly.
You’ll perform two major activities here: detecting security violations and responding to them. With respect to sensitive assets, it is important to know:
Document the response to security violations, and follow up immediately after a violation is detected. The IT organization should have a computer emergency response team to deal with security violations. Members of this team should have access to senior management so that severe situations can easily be escalated.
Responses can be built into your security tools or facilities to ensure that the response to a violation is immediate. For example, a password-checking utility may be designed to lock out a user name immediately after three invalid password entries. Alarms can be installed around the data center facility so that if any window or door is forced open, security guards or police are immediately notified.
A critical part of this activity is the generation of reports for management that discuss significant security violations and trends of minor incidences. The objective is to spot potential major security violations before they cause serious damage.
Step 6: Reevaluate IT assets and risks
Security management is a discipline that never rests. Major changes that would require a reassessment of the security management practice include:
As information technology continues to grow in scope and importance, the value of managing the security of mission-critical computer systems running an organization’s most sensitive processes and functions cannot be overstated. With security one of their highest priorities, executives are searching for effective techniques to deliver maximum security while simplifying security management. With a well-defined security management process in place, your IT organization will realize numerous benefits—reduce the number and effect of security incidents, reduce problem resolution time, and improve staff productivity.
Harris Kern’s Enterprise Computing Institute and Change Technology Solutions, Inc. represent the industry’s leading minds behind the design and implementation of world-class IT organizations.
