How do companies implement a strategic information security program?
May.08, 2009 in
Information Security FAQ, Security Management
seanbethune asked:
In almost all cases, large corporations do a miserable job of implementing and maintaining an information security management program. How can information security justify the business investment to reduce risk and improve security across the enterprise while still maintaining business agility and minimal I.T. bureaucracy?
May 9th, 2009 at 8:45 pm
Create a video blog
Most companies use a combination of automated centrally control AV and user training on what to do when they do receive a virus or email. From an IT point a view no matter how advanced a plug an play device may be in your network people will still find a way around your infosec. Best way to reduce risk is user training along with strict firewall/proxy policies. Scanning of incoming and outgoing email can help you track down if someone is being to liberal with your information. Its true user mobility on the internet is limited by strict security but its easier to make exemptions based on user cases than to leave the whole network open. I hope this is something like what you were looking for.
May 11th, 2009 at 5:57 pm
Kansieo.com
SQL Servers are great for security, however they have exploits that leave it vulnerable. But, if constantly updated, it should reduce its vulnerability. Then the company should get a program such as Novell Deskworks in order to assure no unwanted programs are executed. Combine this all with a stable, fast server (AMD Processors are preferable, Intel Xeons is notorious of crashing and having memory leaks). That should be all the information you need. Hope it helps!
-Cybersnark
May 12th, 2009 at 8:50 pm
Create a video blog
What? Is it final exam time or something?
I can tell you from painful personal experience that companies fail in implementing IT security by looking for technology shortcuts, assuming security is built-in with technology infrastructure, or going overboard with an all-powerful central security authority. Companies suck at security because it’s hard and getting a business person to spend money on an intangible risk is daunting. At best, your security team defines enough disaster scenarios that scares the business into funding some sort of ongoing risk management program. At worst, security gets buried in IT under the network group.
Getting your arms around what’s involved in a comprehensive security program is half the battle and it has a lot more to do with your business processes and staff behavior than firewalls or fancy technology. First, define a program around the following categories:
1. Governance
2. IP/PII information management
3. Facilities
4. Security policy and exception management
5. System scanning and event monitoring
Second, always, always collect hard data metrics around user access requests, critical assets, policy exceptions, and system scanning results. You’re going to use this data to justify security based on user behavior that increases risk across the company. Show who’s getting and spreading viruses and you’ll get some attention from the business.
Third, start tracking these metrics to collect some sort of baseline. You’ll need to track and report changes in security risk based on some measure of the number and severity of events occuring across the company. If you’re doing a good job, there will be projects underway to address these security issues prioritized by risk rather than whatever cool gadget someone wants to implement.
Finally, treat security as a process rather than a tool and you’ll be far ahead of the IT clowns with their IDS and AV toys. Processes are defined, measured, and optimized while today’s technology is in tomorrow’s landfill.
And… If some consulting company wants to implement a “governance framework” using COSO/Cobit/ISO based methodology for your “enterprise security portal” get a rope. Death is too good for them.