Categories
Guest post by Chuck Mackey, Chief Security Architect, Sequris Group
Every day that passes brings new threats, attacks, and intrusions to computing environments. Inadequate cyber security and antiquated physical protection measures has inflicted serious damage on productivity, intellectual property and our prosperity, as a community, country and citizens. This is not fear-mongering; look only to sources such as privacyrights.org for a comprehensive list of logical (virtual) and physical breaches…that we know of.
It’s vitally important we understand that “It could happen to us.” But we also need to understand that we can continue to thrive even in the face of increased security measures. “Tighter” security does not necessarily mean “less access” and it doesn’t mean “lock down”. Rather, it’s precisely the opposite; complimented with an improved ability to authenticate the users’ of your organization’s computing environments and granting them the appropriate access to the systems they need to perform their jobs. It means improved control over who has permission, who may grant permission, and what access permission allows you to view, copy, store, retrieve, print, enter and leave.
Keep in mind that not all the issues associated with improved virtual and physical security deal with the technology; increased security can be achieved through policy, procedure, and process improvements. I’d like to propose four strategic ‘action steps’ to help you understand the big picture as well as the daily tasks required to effectively protect sensitive information.
1. Create a Comprehensive Security Strategy
Your senior-most leadership should formally state that logical and physical security is a fundamental principle of your organization and it will seek to protect the integrity of data, ensure its confidentiality, and enable availability to it, given proper identity and authentication. Further, leadership should institute a Security Council that coordinates this strategy and then develops a tactical blueprint for security between each of your organization’s business units, divisions, and departments.
The security strategy must articulate goals, objectives, and tactics that identity the steps to achieve high levels of safe and secure computing, along with safe and secure physical access to facilities, without compromising worker performance.
The starting point to advance these goals is to establish an organization-wide security policy that makes clear the organization’s intention to protect data and to maintain integrity concerning your mission, vision, values, goals, and objectives.
2. Organize for Security
The security team must be given top-level responsibility for co-developing the security strategy, along with IT (aligning IT and security is important for improving security and agility), into the creation of security procedure, and should handle the day-to-day implementation, operation, and performance. This team will have the responsibility, authority, accountability, and oversight to enact security initiatives, submit budget proposals relating to all aspects of security, manage approaches for all security measures, and collaborate with internal and external resources, including all vendors, suppliers, etc.
3. Regulate Security
An absolute necessity in regulating security is a security framework that establishes the “rules of the road.” The frameworks aides in accomplishing three security requirements:
- Assessing security risks for the organization;
- Identifying and adhering to relevant legal, statutory, regulatory, and contractual requirements of the organization;
- Formalizes a set of principles, objectives, and requirements for security to support its all security initiatives.
We recommend utilizing a proven framework that provides these three key elements:
- Control: Defines the specific controls to satisfy security objectives;
- Guidance: Provides the detail implementation explanation for a security control;
- Related Information: Provides any explanation related to controls concerning critical factors, such as legal consideration/legislation, directives, etc.
4. Revise Authority
Leadership should revise decisions concerning the investigation, purchase, adoption, and integration of any technology used for monitoring and other day-to-day security enforcement that is enabled by organization-wide technology.
The security operations team should be front-and-center on all decisions regarding network, unified communications platform, data center, Virtual Private Network (VPN) access, and the deployment of mobile computing devices (laptops and Personal Digital Assistants) throughout the entire organization.
Security is at or near the top of the list on just about everybody’s agenda these days; from major IT advisory and consultancies like Gartner, Deloitte, and others. Cyber crime, whether viewed as a terrorist activity, country-to-country espionage, malicious hacking, identity theft, or defamation, poses a serious blow to economic vitality and personal safety. We are in for a long struggle with increasingly diligent and well-funded cyber-criminals, foreign intelligence agencies, and sophisticated terrorist organizations all bent on compromising our data for their gain.
Focus on re-thinking your approach to IT security; it is much more than protecting your network. Re-think your position concerning Security, Safety, Business Continuity, and how each of these are impacted by—and also impact—decisions concerning data confidentiality, integrity, and availability.
Subscribe to Blog
Receive notifications of new posts by email.
