IT Manager’s checklist

An IT security manager’s checklist

IT security managers have to undertake a series of exercises to identify, prioritise and address risks affecting their organisations’ sensitive information, writes R Sundar.

R Sundar

An organisation should address the aspect of controlling and securing its information assets with an integrated and tangible index of service offerings. A fully integrated security architecture provides a framework for the application of a consistent and unified approach by which an organisation’s IT security manager can develop and improve information security within the said organisation’s business operations.

Ideally, the security set-up should be driven by business requirements or objectives as reflected in the management’s expectations for security. In practice, this is influenced by the technical, legal and regulatory environment in which an organisation functions. Considering the myriad factors that influence the security requirements of an organisation, an IT security manager has to undertake a series of exercises to identify, prioritise and address risks affecting an organisations’ sensitive information.

Principles and policies

Several underlying themes dictated by the organisation’s business requirements and its operating environment drive the development of an organisation’s security principles. For instance, in an operational environment to be competitive in the market, a bank may extend access to its core financial systems through an Internet banking channel to offer 24x7 services to customers. Thus, one of the security principles for this bank would be to comply with the Internet banking services guidelines of the RBI. Security policies are founded on and flow from security principles. For instance, a bank’s security policy may state that access to sensitive information and systems will be restricted to authorised personnel only and any such access will be logged and the logs will be periodically reviewed for anomalous entries.

Principles and policies serve as the drivers of an organisation’s security initiatives. In the above example, to determine what constitutes sensitive information, an information classification exercise becomes necessary. Moreover, security policy also serves as a baseline that influences the acquisition and configuration of the system and security software and devices that are required to enforce the organisation’s security requirements in order to ensure compliance with policies.

Corporate security policies and standards are the cornerstones of an integrated security architecture. Policies and processes linking financial, legal and business requirements ensure the alignment of an organisation’s security investments with its perceived business risks. Organisations should develop policies and standards to ensure that business imperatives as well as legal and financial obligations are met and employee awareness is created.

Information classification

To protect an organisation’s information assets, the IT security manager must have sufficient knowledge of the business processes and the underlying applications supported by the same. The IT security manager should have access to a variety of technologies and asset identification methodologies to identify organisational assets and document the business processes that they support and to assist in preparing an inventory of assets which allows to understand the breadth of the organisation’s systems, networks, applications and information.

It is imperative that the security initiative focusses on the information that needs to be protected and be agnostic as far as the multitude of forms in which the same information manifests itself. For example, if an employee can effectively eavesdrop on a VoIP conversation involving the CFO, confidentiality is defeated. The type and extent of security required is ultimately dependent on the information to be protected and, therefore, classifying information and building an asset inventory that stores or handles information is a natural starting point for such an exercise. Business process owners know best when it comes to gauging the importance of information and hence should be involved to a great extent in any information classification exercise. The objective is to determine the security requirements of the information which can be done by considering the impact to the business if confidentiality and integrity are lost or it becomes unavailable. Since the prime focus is on information and not on the IT infrastructure, making an inventory of assets should not be restricted to prominent information sources and sinks alone. Assets that handle the information such as printers and VoIP equipment should also be taken into consideration.

Risk assessment

A formal risk assessment should be carried out to determine the level of security needed to support a specific business process or initiative. The IT security manager should identify the risks that impact an organisation’s ability to protect the confidentiality, integrity and availability of its critical information assets and the development of a structured information classification model.

Once the important information has been identified, and it is known as to why the said information is important and which information assets handle it, the next step is to determine the risk that such information is exposed to. Risk is exemplified by a combination of threats. In any organisation, there may be entities—current and past employees, competitors, script kiddies, or seasoned crackers—who would be interested in enjoying greater access to its information resources than they have a legitimately right to. These entities, along with natural forces that may unintentionally affect the security of sensitive information, constitute threats. However, a threat ceases to represent a risk when there are no vulnerabilities to exercise. Vulnerabilities represent weaknesses that can be accidentally triggered or intentionally exploited. Risk assessment necessitates the undertaking of a comprehensive evaluation of threats and vulnerabilities that can affect an organisation’s information assets.

Threats and vulnerabilities analysis

Vulnerability analysis focusses on technical and non-technical weaknesses affecting information assets. It does not make a distinction between those that can be easily exploited and those that probably may never be exercised. In order to derive significant meaning, vulnerability analysis must be correlated with potential threats. A vulnerability may not be actively exploited because of the considerable capability required on the part of the exploiter. Thus the likelihood of exploitation of a vulnerability is typically determined by its popularity and the simplicity with which it can be exercised. Coupled with the business impact of the weakness, the likelihood of its exploitation determines the risk that the information asset is exposed to owing to that weakness. This explains why the risk posed by a weakness differs depending on the source of the threat.

Risk mitigation

Once the IT security manager has the knowledge of the risks to which critical information assets are exposed to, the obvious action to be taken is to introduce additional controls to mitigate the said risks. The objective is to reduce the residual risk to acceptable levels with a minimal reduction in other system capabilities. This can be done by eliminating the threat or the weakness or both, by restricting the impact of the weakness, or by implementing methods to detect the exploitation of the weakness and take appropriate action. Risk mitigation refers to prioritising, implementing and maintaining the appropriate risk-reducing measures. Prioritisation is based on the risk quantified in the risk assessment phase based on likelihood assessment and impact analysis. Implementation may involve acquisition and deployment of devices and applications from various vendors suitably supplemented with administrative measures.

Security architecture

This constitutes the comprehensive arrangement of various security components within the context of the operational infrastructure for protecting critical information assets; detecting and responding to security breaches or attempts at such breaches. Ideally, a security architecture should adopt a defence-in-depth approach addressing security at network, server, application, data and human levels.

Infrastructure and security components that constitute an architecture must be deployed by adhering to technology specific Minimum Baseline Security Standards (MBSS). MBSS define the system configuration values that must be set on the installed components. These could be defined either by the organisation for each operating system, device and application or they could be adopted from the standards recommended by vendors and organisations like National Security Agency (NSA), National Institute of Standards and Technology (NIST) or Center for Internet Security.

Drafting comprehensive procedures

Once the basic infrastructure security components are implemented, standard operating procedure should be developed to ensure effective and efficient operations as well as to enable adherence to the organisation’s information security policies. Procedures are typically developed for managing identities, provisioning access, backup and restoration, monitoring of security incidents, incidence management, periodic assessment, patch management and configuration change management.

The weakest link

It is well known that security is often breached by exploiting the weakest link. More often than not, this weakest link is the user. In many organisations, the user population is predominantly non-technical and is unaware of the significance of information security and the risks posed to information assets. As a result, an attacker need not even be technically competent to leverage the ignorance of the user population as he or she could easily resort to social engineering attacks to gain the necessary system information. Hence, it is advisable to periodically conduct security awareness programmes and educate users of the security measures put in place and their role and responsibility in ensuring the security of the organisation’s information assets. Further, all new hires who use information resources or who have access to areas where information resources reside, must also receive formal security awareness training at the earliest.

Periodic security audits

Security is not a one time activity, it is an ongoing process. New vulnerabilities affecting infrastructure components and system applications are discovered almost on a daily basis, thereby requiring continuous efforts on the part of the security team to stay up-to-date with the latest sets of patches. Further, as business requirements constantly change, existing system configuration may undergo modifications and new components and applications may be introduced to meet additional business demands. These changes and new introductions may also introduce vulnerabilities that were hitherto non-existent. Consequently, periodic audit of information systems must be carried out either by a team of internal experts or by a competent external party.

The primary advantage of an architectural approach to information security is the alignment of an organisation’s investment in security with its perceived business risks. As speed to market is critical, organisations should optimise their effectiveness in emerging market conditions without the issues of security impacting either their market or business initiatives. With this approach, organisations are able to maximise their investments and know that their vital resources are secured and protected.

The security architecture process enhances competitive advantage by enabling the IT infrastructure to securely meet critical business objectives. Implementing a security architecture not only helps organisations address security issues, but also drives greater efficiencies and permits greater reliance on systems and controls in place.

The author is Associate Director, Ernst & Young. He can be reached at r.sundar@in.ey.com