Introduction
Last week, a friend of mine was discussing a recent security assessment. When asked how the project was going, he rolled his eyes and told me the whole project was on hold until they could figure out the security implications on the business. Too many times security stops business instead of working with business to figure out on how to proceed securely. Why? Let us take a look.Bob The IT Manager
Bob, a manager at a corporate firm called Widgets has heard of the latest trends in security and has tasked his security IT team with making the company secure at all costs. Bob has a good heart but is terrible with people. He wants his bidding done now. Before Widgets staff mutinies, we will step in and help Bob out a little and teach him about Security Management.Security Management
Think of Security management as a huge range of security subjects including security policies, security guidelines, security procedures, security classifications, etc. It is these components that you will begin to construct the security program that will help your organization get and stay secure. Bob will need to evaluate all of the risks associated with doing business and then start to categorize assets and assign values to all of the assets. No small task. Once Bob has decided on what will be protected he is going to have to look around the office and start asking for volunteers to take up the responsibility of shouldering the new security policy.Steve the IT Guy – Is he Right for the Job?
So how many times has this happened to you? Steve (who is the IT guy at Widgets), now gets told security is his bag of tricks and if the server gets hacked, he gets fired. Poor Steve. This is an improper methodology to take on Bob’s part. The IT department in even the smallest of companies is moving at a million miles an hour. You wouldn't hire a chef to guard your house, don't use IT as the security scapegoats. Proper training and education is paramount for the success of Bob’s plan...no matter how much he jumps up and down stomping his feet. A proper manager would empower the person selected for the role of Security Lead and provide all manner of resources to them. Don't just think computers here, Bob. Resources include staff, information and funds. If you want the Security Lead to perform well, you will need to provide all of the aforementioned and one last thing...proper management. If Bob takes the time to plan well and provides full support to the new Security Lead. So instead of dumping Steve into the role, Widgets has decided to hire Sandy as their new Security Lead, based on an depth interview process. This is a great first step to have your security plan succeed.There’s a New Girl In Town
Sandy’s first day on the job is a daunting one. She has Bob breathing down her neck and a number of polices to implement...all before she has even had a chance to move into her office. Sandy must now start defining the controls for the security process. Sandy must (with each department’s help) decide who has access to what and in what capacity. The three controls we will look at include Physical, Administrative and Technical controls.Physical controls are exactly what they sound like, locks on the doors, access to certain areas of the building, removing CD ROM drives from computers, fencing, and surveillance. Sandy may have to talk to someone about hiring a security guard as well.
Sandy’s Technical controls would involve logical access to servers, encryption for certain files or laptops, authentication and passwords.
Lastly she will have a small library of policies, procedures, guidelines, analysis and personnel training to help her provide the Administrative controls required. Armed with these three controls and a little support will go a long way to allow Sandy to help protect the company assets.
Trinity of Security
So Sandy has settled in, she has had a busy first week and now even has a Widgets.com e-mail address (courtesy of a very thankful and helpful Steve).Sandy has much to learn in her new role and she would do well to take the CIA triad to heart. The CIA triad is our last stop on Security principles. Many pundits tout the CIA triangle as a Trinity for all things security. Just look in any Security book and I guarantee you will see it. This simple tenet is something all companies will be striving for. The CIA Triad means Confidentiality, Integrity and Availability which form the cornerstone for Sandy’s corporate existence.
Confidentiality requires that the proper techniques be in place to prevent unauthorized viewing of company assets. Simple shoulder spying, dumpster diving all the way up the malicious chain to corporate espionage and social engineering fall into this realm. To protect confidentiality, Sandy has encryption, education, controls and policies to help her out.
Integrity stops information from being modified or untrusted. Mistakes at work should not be able to break the integrity of the corporate policies. Users are often involved in breaching integrity by speaking to unauthorized media sources, modifying databases on the fly and generally not adhering to the policies put in place.
The policies also have to be iron clad so as to not put users in a position where they can make a mistake that would void the credibility of a document in the first place.
Availability is often the last bastion of the triangle as it is the one that is most directly influenced by resources beyond your control. Availability means you have to deal with power failures, hard drive failures and pretty much all system availability falls into this realm.
If your service provider goes offline or Heaven forbid you are at the mercy of a Denial of Service attack, your policies and procedures (business continuity) must allow you to weather the storm.
In Closing
So we will leave Bob, Steve and Sandy for now for a few weeks to see how Sandy and Bob come together and help take Widgets to the next step as far as corporate security goes. Remember Sandy, Security is your friend.Security is not about saying “No!”, but saying, "How can we do that securely."
