Define What You Have

I l @ ve RuBoard

Define What You Have

Most organizations have some basic security measures, even if they are only informal activities. The current status of the security procedures must be evaluated, not only for their effectiveness but also for their applicability to the areas that the risk analysis has determined to be important. It needs to be determined if they appropriately address the areas of security that are most important to the organization. Evaluation of the effectiveness of current processes requires analysis of the procedures and testing of the practices.

Policies and Procedures

All organizations have security policies and procedures, even if they have no written security policies and procedures. There are policies in other groups outside the information technology group , such as human resources, which have security aspects. They will define acceptable and unacceptable behavior and how to handle employees who are in violation of the policies. These are a great starting point in developing security-specific policies.

The information technology department will have procedures which pertain to security. It will have data handling procedures for backup and recovery and processes for adding new users and other activities which involve security. These practices will need to be evaluated and incorporated into written security policy and procedures.

The organization's policies which are already in place will need to be examined to determine how they can be applied to information security or how to draft new policies that follow them. Often an organization's employee personnel policies and physical security policies can directly apply or be broadened to encompass information security.

I l @ ve RuBoard

Define How to Protect It

Defining the protection process creates a framework in which to build security processes and evaluate security products. This foundation should define the attributes of the system (availability, confidentiality, integrity) which need protection, the priorities in protecting them, and the processes to be used to protect them. A number of security principles should be utilized.

Defense in Depth

No single security measure will stop all attacks against a resource's availability, confidentiality, and integrity, so multiple measures have to be used. Defense in depth says that there should be layers of security, each addressing specific security issues. This layering creates a more comprehensive security solution. It also require's that an attacker penetrate layer them to get access to the resources.

Isolation

Isolation protects processes from the side effects of other processes. The further isolated a system is from an untrusted area, the less likely it is to be compromised. Physical separation provides isolation. This can be applied to isolating networks, or power sources.

Separation of Duties

Separation of duties provides accountability by requiring different people to perform the different steps in a process. This increases the complexity of committing fraud by requiring that multiple people be involved. Having more people required to commit fraud increases opportunities for mistakes or the likelihood that someone will talk.

Least Privileges

The principle of least privilege is that a person should be given no more than the very least privileges needed, for the minimum amount of time required to perform his or her duties. This minimizes the opportunity to abuse these privileges and the possibility of accidental abuse of privileges.

The level of privileges granted should be based on a business need and justification. This exercise will help clarify the business processes and the security issues with them.

Set Minimum Security Requirements

Minimum security requirements should be defined. These will set a base line of security which must be met. Document all exceptions with a business justification and a definition of what is being done instead to mitigate the specific risk.

Implement Change Control

Most vulnerabilities are a result of inadequate management of change ” changes to source code, changes to system configuration, or changes in personnel. A controlled change-management procedure can help eliminate the mistakes and improve the likelihood that malicious changes will be caught.

I l @ ve RuBoard