An IT security manager’s checklist - Express Computer Page 1 of 4

Printer Friendly Version

WEB LINK - http://www.expresscomputeronline.com/20051226/bestdefence03.shtml

IT Manager’s checklist

An IT security manager’s checklist

IT security managers have to undertake a series of exercises to identify, prioritise and address
risks affecting their organisations’ sensitive information, writes R Sundar.

An organisation should address the aspect of controlling and securing its

information assets with an integrated and tangible index of service offerings.
A fully integrated security architecture provides a framework for the
application of a consistent and unified approach by which an organisation’s
IT security manager can develop and improve information security within the
said organisation’s business operations.

Ideally, the security set-up should be driven by business requirements or

objectives as reflected in the management’s expectations for security. In
R Sundar practice, this is influenced by the technical, legal and regulatory
environment in which an organisation functions. Considering the myriad
factors that influence the security requirements of an organisation, an IT security manager has
to undertake a series of exercises to identify, prioritise and address risks affecting an
organisations’ sensitive information.

Principles and policies

Several underlying themes dictated by the organisation’s business requirements and its
operating environment drive the development of an organisation’s security principles. For
instance, in an operational environment to be competitive in the market, a bank may extend
access to its core financial systems through an Internet banking channel to offer 24x7 services
to customers. Thus, one of the security principles for this bank would be to comply with the
Internet banking services guidelines of the RBI. Security policies are founded on and flow from
security principles. For instance, a bank’s security policy may state that access to sensitive
information and systems will be restricted to authorised personnel only and any such access
will be logged and the logs will be periodically reviewed for anomalous entries.

Principles and policies serve as the drivers of an organisation’s security initiatives. In the above
example, to determine what constitutes sensitive information, an information classification
exercise becomes necessary. Moreover, security policy also serves as a baseline that influences
the acquisition and configuration of the system and security software and devices that are
required to enforce the organisation’s security requirements in order to ensure compliance with
policies.

Corporate security policies and standards are the cornerstones of an integrated security
architecture. Policies and processes linking financial, legal and business requirements ensure
the alignment of an organisation’s security investments with its perceived business risks.
Organisations should develop policies and standards to ensure that business imperatives as
well as legal and financial obligations are met and employee awareness is created.

Information classification

To protect an organisation’s information assets, the IT security manager must have sufficient
knowledge of the business processes and the underlying applications supported by the same.

http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007
An IT security manager’s checklist - Express Computer Page 2 of 4

The IT security manager should have access to a variety of technologies and asset identification
methodologies to identify organisational assets and document the business processes that they
support and to assist in preparing an inventory of assets which allows to understand the
breadth of the organisation’s systems, networks, applications and information.

It is imperative that the security initiative focusses on the information that needs to be
protected and be agnostic as far as the multitude of forms in which the same information
manifests itself. For example, if an employee can effectively eavesdrop on a VoIP conversation
involving the CFO, confidentiality is defeated. The type and extent of security required is
ultimately dependent on the information to be protected and, therefore, classifying information
and building an asset inventory that stores or handles information is a natural starting point for
such an exercise. Business process owners know best when it comes to gauging the importance
of information and hence should be involved to a great extent in any information classification
exercise. The objective is to determine the security requirements of the information which can
be done by considering the impact to the business if confidentiality and integrity are lost or it
becomes unavailable. Since the prime focus is on information and not on the IT infrastructure,
making an inventory of assets should not be restricted to prominent information sources and
sinks alone. Assets that handle the information such as printers and VoIP equipment should
also be taken into consideration.

Risk assessment

A formal risk assessment should be carried out to determine the level of security needed to
support a specific business process or initiative. The IT security manager should identify the
risks that impact an organisation’s ability to protect the confidentiality, integrity and availability
of its critical information assets and the development of a structured information classification
model.

Once the important information has been identified, and it is known as to why the said
information is important and which information assets handle it, the next step is to determine
the risk that such information is exposed to. Risk is exemplified by a combination of threats. In
any organisation, there may be entities—current and past employees, competitors, script
kiddies, or seasoned crackers—who would be interested in enjoying greater access to its
information resources than they have a legitimately right to. These entities, along with natural
forces that may unintentionally affect the security of sensitive information, constitute threats.
However, a threat ceases to represent a risk when there are no vulnerabilities to exercise.
Vulnerabilities represent weaknesses that can be accidentally triggered or intentionally
exploited. Risk assessment necessitates the undertaking of a comprehensive evaluation of
threats and vulnerabilities that can affect an organisation’s information assets.

Threats and vulnerabilities analysis

Vulnerability analysis focusses on technical and non-technical

weaknesses affecting information assets. It does not make a distinction
between those that can be easily exploited and those that probably may
never be exercised. In order to derive significant meaning, vulnerability
analysis must be correlated with potential threats. A vulnerability may
not be actively exploited because of the considerable capability required
on the part of the exploiter. Thus the likelihood of exploitation of a
vulnerability is typically determined by its popularity and the simplicity with which it can be
exercised. Coupled with the business impact of the weakness, the likelihood of its exploitation
determines the risk that the information asset is exposed to owing to that weakness. This
explains why the risk posed by a weakness differs depending on the source of the threat.

http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007
An IT security manager’s checklist - Express Computer Page 3 of 4

Risk mitigation

Once the IT security manager has the knowledge of the risks to which critical information
assets are exposed to, the obvious action to be taken is to introduce additional controls to
mitigate the said risks. The objective is to reduce the residual risk to acceptable levels with a
minimal reduction in other system capabilities. This can be done by eliminating the threat or
the weakness or both, by restricting the impact of the weakness, or by implementing methods
to detect the exploitation of the weakness and take appropriate action. Risk mitigation refers to
prioritising, implementing and maintaining the appropriate risk-reducing measures.
Prioritisation is based on the risk quantified in the risk assessment phase based on likelihood
assessment and impact analysis. Implementation may involve acquisition and deployment of
devices and applications from various vendors suitably supplemented with administrative
measures.

Security architecture

This constitutes the comprehensive arrangement of various security components within the
context of the operational infrastructure for protecting critical information assets; detecting and
responding to security breaches or attempts at such breaches. Ideally, a security architecture
should adopt a defence-in-depth approach addressing security at network, server, application,
data and human levels.

Infrastructure and security components that constitute an architecture must be deployed by

adhering to technology specific Minimum Baseline Security Standards (MBSS). MBSS define the
system configuration values that must be set on the installed components. These could be
defined either by the organisation for each operating system, device and application or they
could be adopted from the standards recommended by vendors and organisations like National
Security Agency (NSA), National Institute of Standards and Technology (NIST) or Center for
Internet Security.

Drafting comprehensive procedures

Once the basic infrastructure security components are If an employee can effectively
implemented, standard operating procedure should be developed eavesdrop on a VoIP conversation
to ensure effective and efficient operations as well as to enable involving the CFO, confidentiality
is defeated. The type and extent
adherence to the organisation’s information security policies.
of security required ultimately
Procedures are typically developed for managing identities, depends on the information that
provisioning access, backup and restoration, monitoring of has to be protected
security incidents, incidence management, periodic assessment,
patch management and configuration change management.

The weakest link

It is well known that security is often breached by exploiting the weakest link. More often than
not, this weakest link is the user. In many organisations, the user population is predominantly
non-technical and is unaware of the significance of information security and the risks posed to
information assets. As a result, an attacker need not even be technically competent to leverage
the ignorance of the user population as he or she could easily resort to social engineering
attacks to gain the necessary system information. Hence, it is advisable to periodically conduct
security awareness programmes and educate users of the security measures put in place and
their role and responsibility in ensuring the security of the organisation’s information assets.
Further, all new hires who use information resources or who have access to areas where
information resources reside, must also receive formal security awareness training at the
earliest.

http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007
An IT security manager’s checklist - Express Computer Page 4 of 4

Periodic security audits

Security is not a one time activity, it is an ongoing process. New vulnerabilities affecting
infrastructure components and system applications are discovered almost on a daily basis,
thereby requiring continuous efforts on the part of the security team to stay up-to-date with
the latest sets of patches. Further, as business requirements constantly change, existing
system configuration may undergo modifications and new components and applications may be
introduced to meet additional business demands. These changes and new introductions may
also introduce vulnerabilities that were hitherto non-existent. Consequently, periodic audit of
information systems must be carried out either by a team of internal experts or by a competent
external party.

The primary advantage of an architectural approach to information security is the alignment of

an organisation’s investment in security with its perceived business risks. As speed to market is
critical, organisations should optimise their effectiveness in emerging market conditions without
the issues of security impacting either their market or business initiatives. With this approach,
organisations are able to maximise their investments and know that their vital resources are
secured and protected.

The security architecture process enhances competitive advantage by enabling the IT

infrastructure to securely meet critical business objectives. Implementing a security
architecture not only helps organisations address security issues, but also drives greater
efficiencies and permits greater reliance on systems and controls in place.

The author is Associate Director, Ernst & Young. He can be reached at r.sundar@in.ey.com

http://www.expresscomputeronline.com/cgi-bin/ecprint/MasterPFP.cgi?doc= 12/11/2007