Effective Information Security Management
An effective information security management program is essential to the success of any business or organization and consists of multiple pieces. Concise policies and procedures in place as well as executive buyoff put the program in motion and provide a solid foundation of enforcement. Many professionals try to differentiate between physical and information security, but an information security program must work in tandem with physical security to ensure seamless process are in effect. A robust technical security implementation is a vital piece of the pie to protect your data. One often overlooked but most important is a corporate wide training program to ensure employees are made aware of current policies, procedures and threats. When these different tasks are integrated, an effective security management program is on track.
Policies and Procedures: Your Foundation
The foundation of an effective information security program relies on documentation to enforce certain rules and processes within the organization. To make these documents effective, the executive management team must have agreed to their terms in writing and be willing to enforce them in required. Without executive buyoff and support these documents are worthless. Depending on the industry and regulatory requirements, there will be numerous information security policies and procedures that must be put into place, the following are only a few examples taken from the SANS Institute Policy Project:
- Internet Usage Policy. This policy states what the user of information systems will be able to access and what they will not be able to access. This document must explicitly states what is prohibited (gambling sites, social networking, pornography, etc). Each user must sign this document to ensure that they will be held responsible if the agreement is broken.
- Email Policy. Provides a guideline for proper corporate email usage, etiquette within the organization, and the consequences for not adhering to the policy. This document may be included within the Internet Usage Policy and should be signed by the user as well.
- Information System Auditing Policy. Information systems must be audited on a regular basis to ensure that the systems are operating normally and to validate that the technical security procedures in place are operating correctly. Users must be made aware that their computers and associated activities are susceptible to auditing and monitoring.
- Mobile Device Protection. As technology improves and teaming across state and national boundaries increase, the demand for mobile devices grows. Though convenient, mobile devices present a high threat for sensitive data loss. To ensure that mobile devices are protected, policies and procedures must be in place.
- Wireless Communication Policy. Many employees have their own personal mobile devices that they carry with them on a daily basis and include cell phones, smart phones, personal computers and MP3 players. While many organizations allow these devices, some industries restrict their usage.
Physical Security: The New Information Security
While some will say that physical security needs to remain a separate entity from information security, most will now say that both programs must work together to enhance each program. A server room without a properly secured door is an active vulnerability. A recently released employee logging on to a system is a threat that cannot be ignored. Information security and physical security must work together to ensure that the right people have the correct access at the appropriate time. If a disgruntled former employee is fired and their building access badge confiscated, what good has been done if they have retained their logon account, laptop, and VPN connection. Consistent communication between these two teams is a must.
Technical Security: Practice Your Defense in Depth
The concept of defense in depth is not a new idea, but one that is often taken for granted. As with any process, it must be tested periodically, reviewed for effectives routinely, and validated current annually. Without validating your technical countermeasures, they are useless. Defense in depth works in both information and physical security and is often referred to as the onion approach. A layered defense provides numerous ways to identify and halt an intruder. In physical security there are exterior fences, doors, guards, mantraps, more doors, cameras, retina scanners, keypads, and then what you are trying to access. In information security, you have your routers, firewalls, intrusion detection and prevention systems, host intrusion detection systems, anti-virus solutions, and then your data. Without testing the layered approach on a periodic basis, it will be remain unknown how successful the countermeasures actually are.
Training Keeps Everyone in the Loop
The annual security refresher email comes out with the schedule for training and there is a collective groan. It is the same in every organization every year. Employees know that it is wrong to access certain websites, download their favorite music from a peer to peer network, and know that they could be more productive than playing blackjack online. Employees know that they will waste another hour watching a presentation that will most likely make them fall asleep; if they bring a blanket they may actually get some real rest. What an effective security program must include is innovative training. Bring in an expert guest speaker to demonstrate the latest threats. Show your employees how easy it is to get their data, do a simple Google search. Give recent and relevant examples of people having their identities stolen. Give examples of how easily they can be socially engineered. Keep your employees involved and the lights on; the program will pay for itself when a potential threat to your organization is adverted.
Justus Tibbetts - Justus Tibbetts is an information security professional with over 12 years of experience in the field. After serving in the United States ...
