With today’s growing threats of information theft, identity theft, and privacy ramifications of inadequate data security on the rise, organizations are overwhelmed in maintaining security of their networks, while trying to meet the information security guidelines of the federally mandated HIPPAA, Sarbanes-Oxley and Graham Leach Bliley Acts.

One can no longer afford to stand by and wait till a disaster occurs, before investing in the security measures necessary to meet Federal guidelines and customer commitments. By then it will be too late to react and the cost too high (loss of customer trust, lost income, severe penalties for non-compliance, and possible jail time).

Organizations, who commit to investing the proper time and money in securing their network infrastructure, are enjoying the benefits of; meeting the Federal regulatory guidelines, improved network security, and reduced system down-time while increasing productivity.

There are five phases in which organizations should invest in securing their infrastructure:

Assessment

Action: Assessment of the current level of information security.

Result: Gap analysis between current state and Federal requirements.

Design

Action: Design and documentation of policies, procedures and solutions to help mitigate security risks.

Result: Creation of gap closure plan.

Deployment

Action: Deployment of protection technology and services.

Result: Execute gap closure plan by identifying and retaining experienced service providers.

Management and Support

Action: Continued management of security program to provide business continuity.

Result: Insures gaps remain closed and new gaps are not opened.

Education

Action: Education of organization on security best practices and best-of-breed technology.

Result: Ensures employees acknowledge their responsibilities with security best practices, documents and training.

Assessing the situation:

The first step is to assess the current situation. This is accomplished by performing a comprehensive security audit.  In order to obtain an unbiased assessment, best practice guidelines recommends utilizing the services of an independent IT vendor experienced in the audit and reporting process.

An organization must first form a ‘security team’ or committee to oversee and make final decisions regarding the security needs of the business, what vendors to utilize, what steps to take after the audit, and the continued security management of the network.

The ‘team’ should consist of at least one principle or executive officer who has the authority to approve funds for security projects, and monitor the work. A manager or representative from each department with decision-making authority, and at the manager of the IT department should be included in team.

Depending on the size of the organization, the ‘team’ may consist of only one person. The team should meet on regularly. Discussions should include what measures to take regarding security procedures, emerging threats, and awareness. Decisions should be made based upon these discussions.

A comprehensive audit will focus on various layers of security:

Security Policy Layer – Encompasses all aspects of employee awareness of security and responsibility to the network, email, internet usage, password usage, and handling of sensitive data.

Physical Layer – Addresses the need for ensuring that all computer equipment remain safe and secure from unauthorized access. Individual responsibility is assigned to critical equipment; with the owner having the appropriate resources, skills, and information to fulfill this responsibility.

Data Layer – Controls the accessibility of data on the network. The desired outcome is one that restricts the access of data to only those users who are required to have access (access management).

Application Layer – Includes such applications as host-based antivirus software, anti-spyware software, and personal firewalls. These tools provide essential ‘last-resort’ security for applications and data.

Network Perimeter Layer – With the proper utilization of firewalls, virtual private networks (VPN’s), routers, intrusion detection / prevention tools, and web content filtering, unauthorized access from outside the network can be prevented.

Management Layer – This important layer requires constant supervision to ensure consistency… assessing overall vulnerability, managing patches and updates for each software and policy. This layer includes the creation of the security framework that makes it possible to identify potential threats early, accurately analyze risks from emerging threats, and develop effective remediation strategies quickly.

Once the security assessment (audit) is finalized, the audit report will highlight all areas of risk, and recommend solutions for mitigating each area of risk within the security layers, including the benefits of implementing each of the solutions (risk mitigation and increase productivity)

These areas of risk can then be addressed according to their level of risk. This will ensure all critical areas will be addressed first.

Designing the right solution:

The organization’s assigned ‘security team’ can then begin the process of formulating or modifying a solid company-wide security policy with detailed descriptions of each area of concern.

Consideration and proper planning for implementing the recommended solutions must be performed. This will include a cost analysis and receipt of vendor quotes for each recommended solution. A budget for all immediate and ‘phased in’ projects must be included, along with time-lines for implementation. This will prevent cost over-runs, due to unnecessary purchases.

Deploying the right solutions:

Once the planning and budgetary phase is complete, the organization can begin implementation. The recommended solutions will sometimes fall outside to organization’s level of expertise’. ‘Best practices’ include the expert services of vendors qualified to perform these tasks. These services should include the training of the organization’s IT staff to perform the management tasks to properly maintain the solution.

Continued Management and Support is a must:

No matter the size of the network, security must remain at the forefront. Once the security solutions have been implemented, the organization must remain vigilant to ensure that these investments are properly maintained. If left ‘unmanaged’ for any length of time, all will have been in vain.

A continued effort must be made in the areas of IT training, systems monitoring, data security & retention, patch management, virus pattern updates, are just some of the management and support services of the organization’s network that must be maintained. Many times, the organization does not have the necessary staff or funding to properly maintain these areas of concern. This is where ‘outsourcing’ of certain managed services can be beneficial to the organization.

Continued Education and awareness:

A security policy remains effective only if it is practiced. ‘Security education’ must remain constant and at the forefront throughout the organization’s infrastructure. Some of the ways agencies are maintaining security awareness is by dedicating the time for  discussion and ‘what if’ questions during scheduled departmental and company wide meetings, surprise inspections, security awareness posters within the organization, annual security audits and disaster recovery drills, the receipt of weekly and monthly reports from the IT department.

Summation: The time to act is now.

Organizations can no longer afford to stand by and wait till a disaster occurs. The longer an organization waits, the greater the cost.

Your organization will obtain ‘peace of mind’ and enjoy the benefits obtained through the implementation of ‘security best practices’.

For more information please email Tim Woodcock.