As more organizations realize that using perimeter and anti-virus technologies alone is like locking their doors but leaving their windows open, it’s become evident that enterprises must upgrade their security practices in order to prevent huge data breaches like the one announced by Heartland Payment Systems this past January.
The consensus among security veterans is that enterprises must take an information-centric risk management approach. The following 10 steps can provide a strong foundation for your organization’s information security strategy.
1. MESHING YOUR COMPANY’S SECURITY AND COMPLIANCE EFFORTS
First and foremost, your enterprise should approach the security problem with a comprehensive risk-management strategy that prioritizes information based on its importance to your organization and on regulatory requirements that necessitate its protection. This prioritization should then inform your company’s decisions about where IT security will concentrate its efforts.
“We look at the information across different forms and in the different places that it calls home,” says Adam Hansen, director of information security for Sonnenschein Nath & Rosenthal, a national law firm with more than 800 attorneys and 15 offices in the United States and Europe. “So we start looking at how we can protect that information and what level of protection we can afford. If the information is of no value or is valued at less than the cost to secure it, why would we throw money at a problem that doesn’t exist?”
Compliance will play a part in this risk prioritization because the risks of noncompliance are very real. However, most security experts agree that you shouldn’t make compliance concerns the be-all and end-all driver of security initiatives.
Most IT security experts will tell you that compliance does not guarantee that an organization is secure. Nevertheless, if compliance is baked into the strategy without holding too much influence, it can be a great tool for building consensus and support among executives who might otherwise be reluctant to open the purse strings.
“The auditor is one of my best friends,” says Brian McPhedran, associate vice president of IT risk management for Aegon Canada, part of Aegon, an international provider of life insurance, pensions and investment products that’s headquartered in The Hague, the Netherlands. He explains that in one case he was able to score more funds to implement database security due to an auditor’s recommendations to the company’s executives.
Governance, risk and compliance (GRC) tools can definitely play a big role in ensuring that you have a healthy compliance and risk management program and can point out where your program needs work.
“It falls on management and the IT department to ensure that there are comprehensive security measures in place and that an internal audit will validate the assumptions of the controls,” says Josh Golden, director of internal audit for Kulicke & Soffa Industries, a Fort Washington, Pa.-based semiconductor manufacturer that uses the BWise Enterprise GRC platform to aid internal auditors in this process. “Having a software application that is going to assist in the testing protocols is a tremendous help. It’s really a give and take that needs to take place—and is taking place within Kulicke & Soffa—to optimize how we go about complying with a regulation. In addition, we want to translate that into value for the investors and management.”
2. POLICY DEVELOPMENT, MONITORING AND ENFORCEMENT
Once you start developing a risk management program and prioritize your risks, you should translate that into actionable policies that control the systems that house your information. Without policies, the implementation of security technology is a waste. Many companies continue to throw technology at the problem in a shotgun approach and then wonder what happened when they have a security breach.
“A lot of it is about policy, process and procedures,” says Jeremy Bowers, security coordinator for Sequoia Retail Systems in Mountain View, Calif., which provides retail software to college bookstores. “In most cases, there’s not a silver bullet: You can’t say, ‘We’re going to buy this product, and it’s going to save us a ton of time.’”
There are various tools that can help automate the enforcement of policies. In fact, the next eight categories describe ways to effectively control policy enforcement at different layers within the IT infrastructure. At the top of the stack are security information and event management tools that can help tie all these tools together to help you track activity across systems for compliance purposes and to automate policy enforcement.
Mike McDanell, security information officer with the Pasadena Credit Union in California, says TriGeo Security Information Manager was initially deployed to help the credit union aggregate all the security logs he was monitoring across systems. He later started using it to monitor and enforce policy actions.
“It’s helped me find out when employees are doing something they’re not supposed to do,” he says. “For example, when something happens—such as when employees plug in something they’re not supposed to use, like a digital camera—I get a little kickback from TriGeo telling me that they’ve done something against policy.”