Documente Academic
Documente Profesional
Documente Cultură
IT Manager’s checklist
IT security managers have to undertake a series of exercises to identify, prioritise and address
risks affecting their organisations’ sensitive information, writes R Sundar.
Several underlying themes dictated by the organisation’s business requirements and its
operating environment drive the development of an organisation’s security principles. For
instance, in an operational environment to be competitive in the market, a bank may extend
access to its core financial systems through an Internet banking channel to offer 24x7 services
to customers. Thus, one of the security principles for this bank would be to comply with the
Internet banking services guidelines of the RBI. Security policies are founded on and flow from
security principles. For instance, a bank’s security policy may state that access to sensitive
information and systems will be restricted to authorised personnel only and any such access
will be logged and the logs will be periodically reviewed for anomalous entries.
Principles and policies serve as the drivers of an organisation’s security initiatives. In the above
example, to determine what constitutes sensitive information, an information classification
exercise becomes necessary. Moreover, security policy also serves as a baseline that influences
the acquisition and configuration of the system and security software and devices that are
required to enforce the organisation’s security requirements in order to ensure compliance with
policies.
Corporate security policies and standards are the cornerstones of an integrated security
architecture. Policies and processes linking financial, legal and business requirements ensure
the alignment of an organisation’s security investments with its perceived business risks.
Organisations should develop policies and standards to ensure that business imperatives as
well as legal and financial obligations are met and employee awareness is created.
Information classification
To protect an organisation’s information assets, the IT security manager must have sufficient
knowledge of the business processes and the underlying applications supported by the same.
http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007
An IT security manager’s checklist - Express Computer Page 2 of 4
The IT security manager should have access to a variety of technologies and asset identification
methodologies to identify organisational assets and document the business processes that they
support and to assist in preparing an inventory of assets which allows to understand the
breadth of the organisation’s systems, networks, applications and information.
It is imperative that the security initiative focusses on the information that needs to be
protected and be agnostic as far as the multitude of forms in which the same information
manifests itself. For example, if an employee can effectively eavesdrop on a VoIP conversation
involving the CFO, confidentiality is defeated. The type and extent of security required is
ultimately dependent on the information to be protected and, therefore, classifying information
and building an asset inventory that stores or handles information is a natural starting point for
such an exercise. Business process owners know best when it comes to gauging the importance
of information and hence should be involved to a great extent in any information classification
exercise. The objective is to determine the security requirements of the information which can
be done by considering the impact to the business if confidentiality and integrity are lost or it
becomes unavailable. Since the prime focus is on information and not on the IT infrastructure,
making an inventory of assets should not be restricted to prominent information sources and
sinks alone. Assets that handle the information such as printers and VoIP equipment should
also be taken into consideration.
Risk assessment
A formal risk assessment should be carried out to determine the level of security needed to
support a specific business process or initiative. The IT security manager should identify the
risks that impact an organisation’s ability to protect the confidentiality, integrity and availability
of its critical information assets and the development of a structured information classification
model.
Once the important information has been identified, and it is known as to why the said
information is important and which information assets handle it, the next step is to determine
the risk that such information is exposed to. Risk is exemplified by a combination of threats. In
any organisation, there may be entities—current and past employees, competitors, script
kiddies, or seasoned crackers—who would be interested in enjoying greater access to its
information resources than they have a legitimately right to. These entities, along with natural
forces that may unintentionally affect the security of sensitive information, constitute threats.
However, a threat ceases to represent a risk when there are no vulnerabilities to exercise.
Vulnerabilities represent weaknesses that can be accidentally triggered or intentionally
exploited. Risk assessment necessitates the undertaking of a comprehensive evaluation of
threats and vulnerabilities that can affect an organisation’s information assets.
http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007
An IT security manager’s checklist - Express Computer Page 3 of 4
Risk mitigation
Once the IT security manager has the knowledge of the risks to which critical information
assets are exposed to, the obvious action to be taken is to introduce additional controls to
mitigate the said risks. The objective is to reduce the residual risk to acceptable levels with a
minimal reduction in other system capabilities. This can be done by eliminating the threat or
the weakness or both, by restricting the impact of the weakness, or by implementing methods
to detect the exploitation of the weakness and take appropriate action. Risk mitigation refers to
prioritising, implementing and maintaining the appropriate risk-reducing measures.
Prioritisation is based on the risk quantified in the risk assessment phase based on likelihood
assessment and impact analysis. Implementation may involve acquisition and deployment of
devices and applications from various vendors suitably supplemented with administrative
measures.
Security architecture
This constitutes the comprehensive arrangement of various security components within the
context of the operational infrastructure for protecting critical information assets; detecting and
responding to security breaches or attempts at such breaches. Ideally, a security architecture
should adopt a defence-in-depth approach addressing security at network, server, application,
data and human levels.
Once the basic infrastructure security components are If an employee can effectively
implemented, standard operating procedure should be developed eavesdrop on a VoIP conversation
to ensure effective and efficient operations as well as to enable involving the CFO, confidentiality
is defeated. The type and extent
adherence to the organisation’s information security policies.
of security required ultimately
Procedures are typically developed for managing identities, depends on the information that
provisioning access, backup and restoration, monitoring of has to be protected
security incidents, incidence management, periodic assessment,
patch management and configuration change management.
It is well known that security is often breached by exploiting the weakest link. More often than
not, this weakest link is the user. In many organisations, the user population is predominantly
non-technical and is unaware of the significance of information security and the risks posed to
information assets. As a result, an attacker need not even be technically competent to leverage
the ignorance of the user population as he or she could easily resort to social engineering
attacks to gain the necessary system information. Hence, it is advisable to periodically conduct
security awareness programmes and educate users of the security measures put in place and
their role and responsibility in ensuring the security of the organisation’s information assets.
Further, all new hires who use information resources or who have access to areas where
information resources reside, must also receive formal security awareness training at the
earliest.
http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007
An IT security manager’s checklist - Express Computer Page 4 of 4
Security is not a one time activity, it is an ongoing process. New vulnerabilities affecting
infrastructure components and system applications are discovered almost on a daily basis,
thereby requiring continuous efforts on the part of the security team to stay up-to-date with
the latest sets of patches. Further, as business requirements constantly change, existing
system configuration may undergo modifications and new components and applications may be
introduced to meet additional business demands. These changes and new introductions may
also introduce vulnerabilities that were hitherto non-existent. Consequently, periodic audit of
information systems must be carried out either by a team of internal experts or by a competent
external party.
The author is Associate Director, Ernst & Young. He can be reached at r.sundar@in.ey.com
http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007