Information Security: A Coherent Approach - Eleven security controls every system needs
(Page 4 of 4 )
Having assessed the threats and vulnerabilities relevant to an organization, it is necessary to address them by devising and implementing an appropriate system of controls. It's always tempting to look for an off-the-shelf list of catch-all controls. However, to do so would miss the point, which is that any such control must be specifically targeted to be effective. This is especially true where finance is a constraining factor. Nonetheless, it is possible to draw up a broad list of the eleven most commonly desired controls as identified in the group's white paper.
ISMS - Number one on the list, and something from which any organization will benefit, is the implementation of a comprehensive Information Security Management System (ISMS). Ideally this should be based on some or all of the internationally accepted standards for best security practice. These include:
The purpose of an ISMS is to develop a coherent, effective, and preferably certified approach to security. This provides concerned parties with a high degree of confidence that the key requirements have been identified and resolved. With adequate investment and buy-in from all parties, a properly implemented ISMS is the single most effective weapon in the fight to maintain security. In addition, compliance with recognized security standards can have direct financial benefits, since the confidence it generates can and should extend to the organization's clients.
Data confidentiality controls - Second on the group's control list is data confidentiality controls. These, in short, are technical and procedural measures designed to prevent unauthorized access to data. They include things like the proper encryption of laptop and portable hard drives, securing data in transit, and even placing legal restrictions on data access where this is appropriate. The proper implementation of such controls requires an initial, thorough data audit in order to establish the sensitivity of data and to categorize it accordingly. This ensures that resources aren't wasted implementing controls on data for which they aren't warranted. It also provides a system into which newly generated or acquired data may be integrated.
Data integrity controls - A data audit may also assist with the implementation of data integrity controls. The purpose of these is to maintain the quality, completeness, and accuracy of the data kept within the organization's systems. This is achieved by addressing data entry, processing, output, and transmission issues.
System integrity controls - The fourth key recommendation is for system integrity controls. These are pre-emptive controls designed to prevent systems from attack by agents, such as malware, hackers, and crackers. They include defenses, such as firewalls and password policies. These measures might sound obvious, but many organizations still have no or inadequate system integrity protection.
Proactive technical vulnerability management - Technical vulnerability management essentially involves protecting systems against security breaches through the identification of vulnerabilities, the implementation of patches and updates, and the management of services and applications to minimize risk. It may also include elements of system administration not previously categorized with security considerations. For example, even the choice of operating system carries security implications in a networked environment. Another vital aspect of technical vulnerability management is security testing.
"Anti-everything" software - Both workstations and servers are vulnerable to an increasing array of hostile software, including malware, viruses, Trojan horses, spam, and spyware. Selecting, managing and updating protective software is an ever-present part of the security professional's job description.
Proactive IT auditing, monitoring, and reporting - It is more or less impossible to protect against 100% of the threats to an organization's systems. However, by implementing comprehensive response mechanisms, it is possible to contain such threats before they result in incidents or, failing that, to contain the impact of such incidents. This must be done proactively by identifying and responding to potentially damaging events rapidly in order to minimize the consequent damage.
Enforcement of rights and compliance obligations - This amounts to ensuring that protections afforded by the moral, legal, and regulatory framework are rigorously enforced to protect an organization's interests.
Resilience engineering - Resilience engineering is the process of designing and implementing processes and systems with a high degree of security and reliability. The main ways to achieve resilience are by first addressing vulnerabilities at the design stage to minimize them, and then by avoiding single points of failure, thereby reducing any disruption to services that may result from attempted breaches. Designing resilience into systems is far more effective than trying to add it afterward, and achieving buy-in from decision-makers for such an approach should be a priority in security-critical environments.
Implementing adequate contingency plans - Contingency arrangements will vary greatly from organization to organization depending both on the level of the threat and the potential impact of disruption. However, they will always include some or all data and software backups, offsite storage of backup media, disaster recovery procedures, uninterruptible power supplies and generators, fire and smoke protection systems, and redundant assets. A security audit will help establish an appropriate level of contingency planning.
Information security awareness, training, and education - Addressing the human elements of risk could be the most important decision an organization will ever make. By encouraging and rewarding security consciousness, investing in a security culture, and addressing its key human vulnerabilities, it will take major steps toward eliminating one of the key areas of potential threat.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.