Protecting Your Corporate AssetsBy Bob Violino | Posted 2013-07-12 Email Print
The damage from suffering a data breach can be significant and widespread: lost revenue, diminished customer confidence, bad publicity and damage to the brand.
There are always challenges in enterprisewide deployments, Daly points out, including security initiatives. One was minimizing the performance impact of desktop sensors and their rules on the environment. "We address the performance challenges by testing any new desktop rules in a pilot group, and then [roll] them out to select communities and [watch] for negative impacts," he says.
Perhaps the most important security process the company has established is its information security training program. "We require all employees to take computer security training every year, and we go beyond simple hygiene practices to include very specific guidance on detecting advanced persistent threats such as socially engineered emails," Daly explains.
Raytheon also requires all information systems administrators to take further training and pass a test to ensure that they understand the company's policies and practices. "Beyond this, we have established advanced cyber-training for our cyber-security staff to ensure they are capable of dealing with the most difficult attackers," he adds.
In addition to training, Daly strongly recommends that organizations implement firewall controls in their data centers to protect inbound, outbound and cross-bound traffic. "Have all Internet traffic routed through Web proxies that implement white-listing for the data centers and, at a minimum, category and specific black-listing for user networks, including VPN users," he says. "Know where your key assets—data and systems—are located, and spend extra time thinking about those assets."
Protecting Key Assets
Security is especially critical for financial services companies. Andrews Federal Credit Union in Suitland, Md., is particularly diligent about protecting key information assets, such as credit union member information residing on all servers, databases, local networks and mobile devices; all staff and vendor personal, confidential and proprietary information; and all system configurations and documentation.
The firm has implemented a variety of security technologies as part of its defense-in-depth strategy, says Bill Wallace, information security manager. "Many of these are your basic fundamental security systems," he says. "We have been very successful and hope to stay that way."
The security products the firm uses include firewalls, intrusion prevention systems, anti-virus software, spam filtering, data encryption and network segregation.
One of the key security tools is a network access system from StillSecure called Safe Access. The product is "a perfect example of a system that does one thing correctly and keeps the configuration and administration simple," Wallace says. "IT shops with limited staff and resources can't afford to implement systems that are too complex and attempt to cover all security vectors."
This is important because most of the implementation challenges Andrews Federal has encountered with security products "revolve are around training and use of the systems," he says. "Misconfiguration and administrator errors will render the best solution ineffective."
In addition to the technology strategy, the credit union also relies on processes and procedures to protect information assets.
"We have policy and procedures wrapped around every process executed," Wallace explains. "This includes both automated and manual processes. The importance is to create a foundation of acceptable use, confidentiality, integrity and accessibility of all information. Enforcement, consistency and standardization are the fundamental purposes of policy and procedures."
Among Wallace's key recommendations for strong security are constant monitoring of systems data, networks and people; protecting data at all stages of its life cycle; quality training for users, administrators and data owners; and strict adherence to policy and procedures.
Perhaps the most important best practice: communication and transparency. "Security by obscurity doesn't work," he says. "Total understanding of the mission by all levels of the organization [is] paramount."
Wallace emphasizes that it's vital to have to have a buy-in for every solution for it to be successful. "Most people will circumvent any system they can to make life easier," he says. "If they understand the importance of why we need to secure assets, and understand the systems doing the securing, you tend to get better and safer systems, workflow and user experience."