Security Management

The process of security management is an all-encompassing one. The process includes managing strategic policies, departmental policies, technology issues, and personnel issues. Each of these areas must be addressed in order to have an effective security system. One of the more difficult aspects of managing security is that change is a constant part of the process. Change is difficult in the best of circumstances. Your job includes understanding the best practices of security management and change management, and you must ensure that people are informed when changes need to be made. This section discusses these three areas in more depth.

Best Practices and Documentation

The term best practices refers to a set of recommendations about a practice or process. These recommendations, in this case, will help provide an appropriate level of security for an organization. This section provides an overview of the best practices involved in a security program. The following list provides an overview of the components that must be considered when evaluating your current security practices.

Standards, Guidelines, Policies, and Procedures

Organizational security policies help describe what activities, processes, and steps are necessary to continue your security program. These policies provide the glue that holds the security program together. Policies and procedures also set expectation levels within the organization to help keep things moving forward. Your organization should minimally have policies that define the following areas.

Information Classification Policies and Notification

Information classification policies define how information is classified. The most common types of classification involve an evaluation of whether information is internal or external and whether it can be used for public dissemination or controlled distribution. These policies help everyone in an organization understand the requirements of information usage and confidentiality.

Notification policies define who is notified when information classifications need to be evaluated, changes are made, and information is updated.

Many organizations have mountains of information that needs to be classified. Many organizations have implemented automatic downgrading policies for information. These policies may indicate a length of time that information must be retained or reviewed. The review can determine whether the information must be retained or can be disposed of. This process can significantly reduce the amount of information that requires special storage in an organization. The U.S. government implemented an automatic declassification system several years ago, and it has saved the government billions in storage and security costs.

Information Retention and Storage Policies

Information retention and storage policies deal with how information is stored, how long it is retained, and any other significant considerations about information. These policies should identify who owns certain types of information and how long the information should be retained. One of the biggest problems facing larger facilities is the amount of data that is backed up and stored. Information organization, data library capabilities, and good operational procedures can help make this task manageable.

Schools and similar organizations are required to keep certain information, such as transcripts, forever. The information retention problems associated with these types of situations can be overwhelming for some organizations. The University of Washington in Seattle had to convert a large underground parking garage into a records storage facility for student records. They have the transcript of every student who has attended the university since its opening over 100 years ago.

Information Destruction Policies

Information destruction policies define how information is destroyed when it has reached the end of its useful life. The elimination of unneeded paper and other confidential files is a big job for many organizations. Sensitive information should be shredded or incinerated when it is no longer needed. This reduces the likelihood that this information will wind up in the wrong hands. Computer systems, when they are retired, should have the disk drives zeroed out, and all magnetic media should be degaussed. Degaussing involves applying a strong magnetic field to initialize the media. Erasing files on a computer system does not guarantee that the information is not still on the disk. Systems can have low-level formats performed on them, or a utility can be used to completely wipe the disk clean. This process helps ensure that information does not fall into the wrong hands.

start sidebar
Real World Scenario: Selling Your Old Computers

Recently, a company decided that it needed to close its doors and go out of business. It had an extensive inventory of computer equipment and licensed software. They decided to hold a "going out of business sale" on the computer equipment. When they sold the systems, they merely deleted sensitive information from the systems. They kept the operating systems installed on these systems. When the sale was announced, they received a nasty letter from one of the large software manufacturers informing them that they were in violation of their End User License Agreement (EULA). They had to remove the operating systems from all these computers in order to comply. They could sell the computers, and they could sell the operating systems media separately, but they could not sell them together.

end sidebar

The low-level format returns a disk drive or other magnetic media back to the state it had when it was brand new. The process physically rewrites every location on the disk back to its original state. Windows and DOS systems can use a program called DEBUG to perform this task. Most disk manufacturers either provide utilities to accomplish this, or can recommend what tools to use. You want to verify the procedures and settings for a low-level format from the disk manufacturer because incorrect settings can cause a disk drive to work unreliably or become extremely slow.

Security Policy

A security policy defines what controls are required to implement and maintain the security of systems, users, and networks. This policy should be used as a guide in systems implementations and evaluations. Security policies have been extensively discussed throughout the book, and you should be aware of their key aspects.

Use Policy

Use policies describe how the employees in an organization can use company systems and resources. This policy should also outline the consequences for misuse. The policy (also known as an acceptable use policy) should also address software installation on company computers.

A few years ago, an employee in a large company was using corporate computer system to run a small accounting firm he had started. He was using the computers on his own time. When this situation was discovered, he was immediately fired for the misuse of corporate resources. He sued the company for wrongful discharge and won the case. The company was forced to hire him back and pay his back wages, and he was even awarded damages. The primary reason the company lost the case was that the use policy did not say he couldn't use the company computers for personal work, only that he couldn't use them during work hours. The company was not able to prove that he did personal work during work hours. Make sure your use policies provide you with adequate coverage regarding all acceptable uses of corporate resources.

Backup Policy

An organization's backup policy dictates what information should be backed up and how it should be backed up. Ideally, a backup plan is written in conjunction with the Business Continuity Plan. Backup policies also need to set guidelines for information archival.

Configuration Management

Configuration management refers to the types of steps that are needed to make changes in either hardware or software systems. These procedures help define upgrade processes, as well as system retirement procedures. In a large organization, configuration management is a difficult job. There will be multiple generations of hardware and software in most organizations. Many older or legacy systems may have applications on them that have been installed for years. In some organizations, these systems may have little if any documentation about configuration or usage. If one of these legacy systems has mission-critical data stored on it, provisions must be made to archive this information or upgrade it to a newer system.

Logs and Inventories

Logs and inventories help an organization know what is happening to organizational systems and assets. Keeping track of system events and asset inventories is an important aspect of security. System logs tell us what is happening with the systems in the network. These logs should be periodically reviewed and cleared. Logs tend to fill up and become hard to work with. It is a good practice to review system logs on a weekly basis to look for unusual errors, activities, or events. Logging levels can also be established to focus logging on certain types of events, such as failed logon attempts. This information can help you discover that an attacker is trying to break into your system before he succeeds. Inventories refer to both the physical assets and the software assets your company owns. Software assets, in many situations, exceed the value of the hardware assets of companies. These assets need to be regularly inventoried. Software needs to be secured when not needed. Installed software needs to be periodically inventoried to make sure that it is current, licensed, and authorized for use in your network. There are products (such as Microsoft's SMS and CA Unicenter) than can be used to assist with asset management and inventory.

start sidebar
Real world Scenario: Where Did My VAX Go?

A large manufacturer once lost $1,000,000 worth of computer equipment. This equipment could not be found when an audit was performed. This loss caused a major panic for the organization, as this equipment was part of a government project and the government wanted to know where it was.

It turned out that the equipment had been moved and put into storage. Unfortunately, the equipment move had not been updated in the inventory, and it had somehow become misplaced. This company had to search all of its extensive warehouse space in order to find it. Finally, they did find it, and a major confrontation with the U.S. government was averted. Had the company not been able to locate this equipment, they would have potentially had to pay to replace it.

end sidebar

System Architecture

The system architecture of many organizations includes software and hardware. Good drawings and documentation of your system architecture are immensely valuable when you are troubleshooting or considering making changes. These documents provide you with the blueprint of your organization's infrastructure. Keep these documents up-to-date, as it is very hard to troubleshoot a network with out-of-date information.

Change Documentation

Change documentation involves keeping records about how your network or organization changes over time. As with system architecture information, it is extremely helpful to have changes well documented in your network. The process of change and change management is a big area, and it is discussed as separate section later in this chapter.

User Management

Procedures for user management identify authorization, access, and methods used to monitor access of organizational computer systems. These procedures may involve multiple systems, multiple platforms, and organizational issues. These procedures need to address hiring, termination, and reclassification of employee access. Reporting, notification procedures, and responsibility are also key components of these procedures.

Resource Allocation

Resource allocation refers to the staffing, technology, and budget needed to implement an effective security environment. Your organization will frequently have to deal with the issues of balancing risk management and preventative measures. History has shown that a well-developed plan and a properly implemented plan will cost more to design than a plan that is thrown together and hastily implemented. These costs are usually initially more expensive, but they tend to be a sound investment over the long run. This planning process requires staff, time, and budget.

Budgetary issues can be very contentious when considering security options. Security initiatives are at times hard to quantify or provide real numbers to justify. This is in part because it is as much a process-oriented environment as it is a product-oriented environment.

Process-oriented issues deal with research, planning, architecture, audits, and policy development. These issues tend to become complicated, and they should be considered before any action is taken. Funds must be allocated for the planning process. While someone is planning, other work is not being accomplished. If an organization is not willing to allocate the budget for planning processes, the likelihood of a successful implementation decreases dramatically.

Budget is always an issue for security processes. The major problem lies in the fact that security is not often viewed as a value-added process. Security efforts are also often implemented on a piecemeal basis. If you are trying to establish the need for security, you should look at it from an organization- wide view. When possible, make sure department heads, managers, and other key people become involved in the process. Most successful security efforts have been implemented as enterprise-wide solutions. Security affects everyone. A breach of security can embarrass and even potentially cause financial risks to the organization. These issues can be discovered if everyone is involved in figuring out what the true costs of security problems are from both a customer and organizational perspective.

Responsibility

Clear areas of responsibility must be implemented for a security initiative to be successful. This includes implementation, management, and ongoing maintenance. Effective security requires effective management. This responsibility may reside at an executive level, as part of a management committee, or as a separate department within an organization. Members of the security team, as well as other members of the organization, must be clear about reporting paths and authority. Your training and security knowledge make you the ideal candidate to be the champion of security efforts in your organization.

Prevention

A big component of the security effort revolves around prevention. Accidents happen, incidents occur, and humans make mistakes. These mistakes can be minimized if strong preventative measures are considered as part of the process. Preventative measures include training, awareness, and careful reviews of processes and policies. The old saying "an ounce of prevention is worth a pound of cure" is nothing but the truth in a security effort.

Make sure that managers and employees are aware of the types of activities that occur in the field, and make sure they know how to implement and continue to support security efforts. These tasks are key aspects of prevention.

IT staff, including network administrators, must be kept up-to-date on industry trends, measures, exploits, and countermeasures to deal with the threat. You can be a big asset to the IT staff if you help them remain current. Virtually all network administrators want to have secure environments. Unfortunately, just keeping a large network functioning can be overwhelming. Your assistance in helping them secure networks is a big help to them, and they will probably appreciate your efforts.

Enforcement

When an incident or a security violation happens, swift and decisive action must be taken. This may include additional training, disciplinary action, or other measures in the organization. It is human nature to neglect policies and procedures when they are not enforced. You will want to make sure that everyone involved in information processing is aware of the policies and procedures of the organization. When a problem is discovered, the specifics of the problem must be clear to management. Before taking corrective action involving employees, it is a good idea to understand the knowledge level of the employees involved. It does no good to punish someone who does not know better.

The intention here is not to turn you into security police, but to remind people that policies matter, that there are consequences for not following them, and that someone is watching activity. In many cases, this is enough of a deterrent to prevent dishonest acts, and it is a reminder that people cannot let their guard down about security.

start sidebar
Real World Scenario: You Be the Judge

You have been monitoring the activities of users in your company. You unintentionally intercepted an e-mail on the system indicating that one of the key employees in the organization has a drug problem and is in a treatment program. What should you do with this information?

This is a tough situation to be in, and one you will find yourself in more often than you want. This information was gained by accident, and it is potentially embarrassing and sensitive in nature. You would probably be best served by not disclosing this information to anyone. If you are uncertain, you should discuss the general situation with your Human Resources department. Avoid specifics of this situation until you know how the company wants to handle this situation. There are both ethical and legal issues involved in this situation. You will have to find your way through this situation. However, you should never discuss this situation with anybody without first consulting with HR, and you should certainly never discuss this with anybody but authorized personnel.

end sidebar



CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net