Chapter 16: The Final Word
|
This book explains much of the technology that goes into creating a secure network. It is true that this technology can be used to provide a sense of trust in your information, but it would be unwise to pretend that a single box or line in an information security policy can provide all that is required for "security." Information security is an iterative process. You create the policy, implement the policy, enforce the policy, and review the policy when things go wrong. Notice the emphasis on policy. The cycle of information security is not written as, "You create the firewall, you implement the firewall, you …." You get the idea.
That said, it is indeed important to understand the technology so you will have a good idea of how a particular solution will reduce the risk to information on your network. I cannot tell you what is a good acceptable use policy (AUP) for your network or what are the value of your assets, but I can provide the information required to make an intelligent choice of countermeasures when you are looking for the way to enforce certain provisions of your information security policy.
Now that we have made it this far through the book, let us just take a couple pages to sum up the steps required to "secure" your network.
The very first step? Convince those in charge that this process is worth-while to your organization. There are numerous ways to do this. You can point to virtually any newspaper and say, "This could be us!" You can bring out a book of the appropriate state federal laws and say again, "This could be us they come after!" Indeed, these are both reasons to support information security. Either of these techniques, while emphasizing the importance of information security, are sending the message that information security is a necessary evil, an add-on that drains revenue and produces no return. Instead of opting for the sensationalistic method of convincing management, however, attempt to persuade them using business logic. You have the knowledge to create the information security policy in a manner that supports the business and adds to the bottom line in increased network efficiency, decreased downtime, and perhaps shareholder confidence. You can do this because you can create an information security policy that not only complements the corporate mission, but is cost-effective as well.
You should no longer be concerned about providing the very best security that money can buy. You now know that this is, in practice, impossible. Your goal is to provide security in a manner that is appropriate to the likely risks your information will face and the relative value of your assets.
The best security process starts with an examination of the company mission statement. Answer the following questions:
-
What keeps your company in business?
-
What keeps everyone working?
-
What does the future hold for your organization?
Finally, using the information above, answer this question:
-
How does the information assist your company in realizing its goals?
The answer to this question starts you on the process of creating a security policy that enhances the overall mission of your organization. During this process, identify the information system assets that are critical to supporting the overall corporate goals.
Create the high-level information security policy. Get as much input as you can and make sure that everyone is on board — it will prove critical to your long-term success. In particular, this means getting the input of users of the information and not just the wish-list of your IT staff.
Based on the high-level security policy requirements and the assets that you have previously identified, perform a risk analysis. Attempt to identify and quantify, either formally or informally, all of the combinations of threats and vulnerabilities that can put the goals of your information security policy at risk. This can be a complicated process, especially when you attempt to quantify the intangible elements of your information assets.
Only when this process is done, and the likely risks to your information have been identified, is it time to start playing with the toys. The process of selecting countermeasures can now begin. The proper selection of countermeasures should not be based on what a sales rep tells you a device is capable of doing. Because you have done a risk analysis, you know what capabilities you require of countermeasures. Remember that each selected method of risk reduction must be cost-effective; that is, the cost of the control does not exceed that of what it is trying to protect. Furthermore, different countermeasures can provide varying value to your information systems. Be sure to compare the possibilities completely. In many cases, the advertised price is not the best estimate of the real value of any countermeasure.
During this process is where the information in this book will be the most important. There are many ways to protect the information on your network. The guidelines in this book should allow you to make an informed decision as to which solutions are best for your situation.
From the policy, create a number of documents that provide the standards and procedures that will be used on your network. At a minimum, you should include the following standards and procedures documents:
-
Technical (network)
-
Administrative
-
Physical
-
Incident Response
-
Disaster Recovery and Response
-
Acceptable Use Policy
Each of these documents should outline the specifics of the "do's and don't do's" for your environment. They may include rules that human resources must implement for the hiring and firing of employees or an outline of the way in which encryption will be used to protect the confidentiality of data.
From these documents, the actual configuration guides will be created. These guides are used by the staff to implement the standards and procedures. These should be quite detailed and provide all the information required for each aspect of the information security policy.
Begin the implementation! Implement the various countermeasures you have selected. Enforce them as necessary. Provide training to your users, positive feedback, and refresher courses as required. Practice your disaster recovery and incident response plans so that your teams are experienced when the time comes to use them.
Things are going to happen after your implementation. Do not view this as a failure of your security policy. Accept that this is a normal part of the networked environment and be confident that, most likely, your preparedness prevented the situation from being much worse. In fact, this is a perfect time to estimate the actual dollar value of what your security policy may have saved you versus what the incident has cost you.
When things have calmed down, begin the process of reviewing your information security policy and any associated parts of that policy. Modify the information security policy and begin the process again.
People have been trying to secure themselves for hundreds of thousands of years. Some of the earliest uses of technology were an attempt to increase this protection. History teaches us that this approach has never been completely successful; but by understanding and following the process of security, you can be confident that you are employing the technology in the most effective manner possible. Good luck, but remember that luck favors the prepared!
|
EAN: 2147483647
Pages: 119