Planning Enterprise

Information Security

In This Chapter
Understanding the risk of data breaches
Planning to protect information assets
Devising a security policy
Employing security technology

Information Has Value

How costly the following events might be to a business :
An Internet-based retailer experiences problems with Web services, preventing
customers from placing orders.
A file is copied to the wrong server, resulting in proprietary information being
available on a companys public Web site.
A programming team is tasked with making critical changes to a legacy production
application, but the source code was lost months ago.
A company loses several weeks worth of billing data after a server crash. Although
the data was scheduled to be backed up, the error messages in the backup log files
were missed, or the backup was untested and failed during recovery.
Network connectivity issues prevent call center customer service personnel from
accessing customer data.
Without proper planning and organization, your organization risks not only data loss,
but also the capability to use data as required.

Protecting Enterprise Data

Common ways in which data is revealed :
Theft of equipment (particularly laptops) containing
unencrypted information
Equipment discovered missing during periodic inventory
checks
Confidential data posted to a companys public Web site
or inadequately secured accessible location
Improper disposal of data processing equipment
Accidental exposure through e-mail

Creating a Security Plan

Design a workable program
Use a layered framework
Implement security standards
View security as a program, not as a project
Keep security simple

Design a workable program

The key to success for any enterprise architecture initiative is having
a clear, well-developed security program with identified requirements
and attainable goals.
Breaking your program into smaller manageable projects ensures :
new technology meets your organizations needs before full implementation;
establishes clear, distinct goals that can be easily conveyed to the technology
implementers;
reduces users fear of change by taking things one step at a time.

Its also critical to ensure that expectations are reasonable, starting

from the top of the organization.
Executives must have a firm grasp of project goals to guarantee
funding and to communicate those goals to middle management and
rank-and-file employees.

Use a layered framework

Data
Applications that access the data
Hosts on which the applications
and data reside
Network on which the hosts
reside
Perimeter separating your
organizations network from the
public network
Facility housing the computing
equipment

Implement security standards

ISO/IEC 27000 series, published by the International
Organization for Standardization (www.iso.org)
Systems Security Engineering Capability Maturity Model
(www.ssecmm.org)
The Standard of Good Practice for Information Security,
published by the Information Security Forum (
www.isfsecuritystandard.com)
Special Publication 800 standards, published by the U.S.
National Institute of Standards and Technology (csrc.nist.gov)
Federal Information Processing Standards
(www.itl.nist.gov/fipspubs)

View security as a program, not as a

project
Projects have a beginning and an end, but programs are continuous.
The completion of the firewall installation project does not mean that your
organizations network will always be protected. Firewalls and other security
appliances and tools require ongoing maintenance and attention to ensure that
they remain effective.
Attackers are continuously looking for vulnerabilities and developing methods
to exploit them. Thousands of viruses are released every year, along with many
other assaults. It isnt much of an exaggeration to say that by the time you say,
The network is now secure, a new virus or other technique for exploitation
has been developed or a new vulnerability discovered.
Security is a constant game of cat-and-mouse. The enterprise, as the defender,
has a limited set of tools and finite resources for protecting the environment,
while there are countless numbers of attackers with access to (almost) limitless
attack tools that vary in scope, complexity, and sophistication.

Keep security simple

With security, you can have too much of a good thing.
You must find the proper balance between security and usability, or
risk having users bypassing controls in order to perform their jobs. For
example, password policies that call for frequent expiration of complex
passwords may lead to users writing down passwords and storing
them in convenient (but insecure) places.
IT security professionals can also suffer the effects of too much
complexity. They often want to log and monitor everything, which can
be detrimental to the health of the network without the proper tools to
filter those logs into usable data. You could compare logs to
surveillance footage from security cameras: Theyre excellent afterthe-fact investigation tools, but without the proper detection and alert
capabilities they do little to prevent an incident from occurring.

Developing a Security Policy

Classifying data to be secured
Addressing basic security elements
Getting management approval
Maintaining the policy
Training employees

Classifying data to be secured

You need to know the type of information that is on your
network before you can dictate policies regarding its
security. If youve selected an IT governance
framework , its likely to have a specific process for data
classification.
At a minimum, the data storage survey should reveal
enough information for you to classify your
organizations data by business function, sensitivity,
owner, and known security requirements based on legal
or contractual mandates

Addressing basic security elements

Administrative access
The security policy should contain rules that govern the creation, use,
and management of accounts with administrative access.

Acceptable use
The policy should include an acceptable-use policy so that
appropriate use of technology is clearly defined

Authorized software
The policy should cover procedures for software installation, including
whether end users are allowed to install software on their own.

Data disposal
The policy dictates the procedures to follow when disposing of
storage media that may contain data.

Addressing basic security

elements
Encryption
The security policy should establish the appropriate use of
encryption as well as approved mechanisms

Firewall
Rules for how the organizations firewalls will manage network
traffic should be incorporated into the policy, including procedures
for updating and changing rules.

Incident management
The security policy should include clearly defined procedures for
security incident handling and reporting.

Addressing basic security

elements
Malware
The policy should indicate anti-malware software requirements,
including configuration, definition updates, scanning frequency, and
procedures to follow in the event of infection.

Passwords
The policy should state the organizations requirements for creating
and managing passwords. Remember to include requirements for
administrative and service account passwords.

Server and workstation hardening

The policy should provide guidance on necessary security controls
for base installations of servers and workstations, appropriate to
whatever platforms are in use. This policy can include items such as
removal of unnecessary services or changing default passwords.

Addressing basic security

elements
Social engineering awareness
Social engineering is a term used to describe a variety of psychological
techniques directed against people, such as manipulation, deceit, or
impersonation. The security policy should take social engineering into account
when addressing relevant policy elements such as passwords, social media, and
telephone procedures.

Social media
The policy should specify how the organization uses social media and how
employees are expected to represent the organization on social networking sites.

Telephone procedures
The policy should include what type of information can be provided over the
telephone and under what circumstances.

Waste disposal
Because attackers can gain valuable information from corporate trash, proper
waste disposal must be addressed.

Getting management approval

It ensures that those who control the finances
understand that security is important and must be
budgeted for.
It lets employees know that security is a valid business
concern

Maintaining the policy

Emerging security threats
Changes in business functionality or data classification
Implementation of new technology
Mergers and acquisitions
Security incidents

Training employees
After the policies are in place, employees must be educated about the policies
and the reasons behind them. They must also have clear instructions for
reporting suspicious behavior or events. This training should be conducted
regularly, to help keep employees alert and up-to-date on new procedures.
Employee training can be performed electronically using existing information
portals, or in person in small units or larger classes. Having properly trained
staff leading these events is critical in order to increase the likelihood of
employees both understanding the presented material and accepting the
trainings validity. Larger organizations usually have training staff available
through their human resources office. An organization lacking experienced
training staff should consider hiring an outside firm to provide this support.
Issues may come up in training sessions that arent addressed in the security
policy. Trainers should note these issues in an after-action review so that the
related policies can be reviewed and updated, if necessary

Using Technology to Support

Security Operations
Use collaborative technologies
Remain flexible
Plan for partner relationships
Outsource only when necessary

Use collaborative technologies

Collaborative technologies can be of tremendous
assistance during any project, from something as simple
as a server upgrade to a complete migration of
technology from one platform to another. These
technologies include :
E-mail and messaging
Discussion boards and wikis
Scheduling and task management
Conferencing (Web, voice, and video)

Use collaborative technologies

The architect must ensure that these solutions are in place
before beginning a security project so as to promote open
communication among all stakeholders. Collaboration tools
can serve to
Communicate new security policies
Announce potential threats
Detail how to address, report, or respond to these risks
Remind users of their responsibilities with regards to security
Provide a mechanism for security incident reporting

Remain flexible
Making changes to production architecture is difficult, at best,
particularly with regard to mission critical architecture. In a
production environment, you should expect that there have been
changes to the resources involved since the initial review was
conducted, and plans must be updated accordingly in order to
avoid disruption of services.
Flexibility is just as necessary for long-term planning, but remaining
adaptable becomes more complex as the environment fluctuates
from year to year due to changes in technology, operations,
business focus, and regulatory or legislative mandates..
Inclusion of entirely new vistas of computational capability can
require significant changes to existing strategies and policies.

Plan for partner relationships

Increasingly, organizations are entering into partner relationships
with other businesses, customers, vendors, and others that all require
some type of integrated external connectivity and information
sharing.
Examples include vendor-managed inventory systems, joint ventures,
automated shipping management, and clearinghouse functions (such
as billing and account management).
You must be aware of partner relationships and how they may affect
your enterprise, particularly with regard to connectivity and security.
Enterprises cannot afford to be blindsided by unforeseen IT
requirements due to new regulatory mandates or other requirements
imposed on the business due to a partner relationship.

When is outsourcing security a good

idea?
Although you cant transfer liability, it may be costeffective for some organizations to consider outsourcing
individual security functions that are laborious or that
require specific skills not available within the
organization.
Surprisingly, some security functions, particularly those
that are time consuming, lend themselves well to
outsourcing.

When is outsourcing security a

good idea?...
Outsourcing security functions models
Security as a service:
Economy of scale is used to offer services and products to organizations at substantially lower costs
than if the organization had to make the purchase itself.
The products and services are owned by the provider and delivered and managed remotely on a pay for
use or subscription basis.
Antivirus products, managed e-mail products, and log management services fit into this model. Log
management, especially in large organizations with extensive logging capabilities, may be a candidate
for outsourcing in order to have access to more robust log management software and 24x7 monitoring.

Managed security services:

The hardware or software involved may be owned by either the organization or the provider, but are
managed remotely by the provider.
These services are more likely to be customizable, and include offerings such as vulnerability scanning,
virtual private networking, and firewall management.
Smaller organizations may find firewall management to be exceptionally cost effective due to the
significant amount of technical expertise that is required to implement and maintain the system.

Outsource only when necessary

Executives often find it tempting to outsource IT services, particularly those in
which hardware purchases are required, in order to reduce costs. Technology
may become obsolete before its fully amortized and a company may want to
move the costs from the capital budget to the operating budget for accounting
purposes. Due to the dynamic nature of information technology, this years
state-of-the-art firewall could be next years state-of-the-art doorstop.
Data processing and software development are also commonly outsourced
functions, but that has the potential to carry significant risk. It should be done
only when necessary and then only after carefully reviewing the laws and rules
that apply to the data involved in those functions.
The decision to outsource should not be taken lightly or made quickly because
it is often easier to streamline local operations than to return operations inhouse after an outsourcing failure. Recommend outsourcing only when its
truly necessary to avoid adding complexity or excessive cost to