The modern Enterprise IT Infrastructure as we know it today has evolved over the years, from the huge computers in the mid 1940s, which could not even do what our small calculators can do today, to the years of mainframes. We now have high processor computers with lots of storage space and high speeds that are easily affordable. We have seen a shift of focus from centralized to decentralized, distributed, network computing within enterprises. All these developments have been great, as they have eased the way we do business, but also brought myriad of enterprise security issues.

In this article we look at the top 10 enterprise security controls that we could deploy to reduce on the effect of known enterprise infrastructure security issues.

1. Take a holistic approach to security

Successful enterprise security requires good planning and a holistic security strategy that considers everything in the organizations, from business processes to the people, on an ongoing basis. Many at times enterprises consider costly technical solutions, as a reaction to security breaches.

2. Develop an Enterprise security program / policy

Organizations need to develop security programs that outline the Roles, policy, procedures, standards and guidelines for the Enterprise security.

Roles: Outline who is responsible for what e.g. Chief Information security officer (ISO) could be s responsible for ensuring a good security posture for the organization.

Policies: These are general organization wide statements that set out the mandatory requirements to ensure a minimum security level. Examples include: Acceptable E-mail Use Policy, Internet use policy, Mobile devices use policy etc…

Standards: these are derived from policies, laying out specific steps or processes required to meet a certain requirement. For example a requirement that all email communication be encrypted.

3. Manage Risk – On a continuous basis

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This involves identifying the assets in the organization that you need to secure; these could include human resources, technology, trade secrets, patents, copyrights etc… Then identify all possible risks that could affect the availability, confidentiality and integrity of these assets. Management can then decide what to do with the identified risks; risks can either be mitigated or transferred to a third party like an insurance company.

4. Refine Business Processes: Adopt Industry best Practices

Beyond the need to manage Enterprise IT technology, is the need to establish and employ best practices and processes to optimize IT services. A number of internationally recognized frameworks have been developed already to describe effective ICT infrastructure management processes. Hence there is no need to re-invent the wheel.

Examples include:
COBIT - Control Objectives for Information and related Technology {1},
ITIL - The Information Technology Infrastructure Library {2}
and ISO 27001 {3}

5. Streamline physical / environmental security

Physical and environmental security is vital in protection of information assets and ICT Infrastructure in the Enterprise. Physical security should look at issue like, monitoring and detection e.g. security guards, alarms, CCTV. Access control and deterrent solutions e.g locks, fencing, lighting, mantraps, Biometrics etc. Environmental control and design, server room temperature, humidity, air conditioning, static electricity, fire suppression and detection, Power generation and backup, all these should be well streamlined.

6. Deploy content filtering / inspection solutions.

As content, (email, internet traffic etc…) moves in and out of the enterprise, there is need for it to be managed well to avoid any security breaches and attacks. Controls could include:

- Web filters to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection.

- Spam filters / Firewalls to protect your email server from spam, virus, spoofing, phishing and spyware attacks.

- Unified Threat management solutions(UTM): Several organization choose to deploy UTM solutions that offer industry leading functionalities within one package including Intrusion Prevention System; Antivirus with Antispam; Web Filtering; Antispam; Firewall; SSL – VPN; Traffic Shaping and many more.

7. Manage the inside of the Corporate Network

We have already seen that there are increased security breaches that come from within the enterprise; therefore it’s vital to manage the inside of the enterprise network very well. Some of the steps we could take include the following:

- Taking an inventory of all authorized and unauthorized software and devices on the network.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Continuous Vulnerability Assessment, patch management and Remediation
- Limitation and Control of Network Ports, Protocols, and Services

8. Have an Identity and Rights Management System

Identity management is very vital and important to avoid user rights violation and excessive rights issue. Put in place procedures, guideline and a system for Identity management, which involves creation of users, change of user rights, removal of rights, resetting lost user password. This also calls for Controlled Use of Administrative Privileges. Is access in the Enterprise based on a need to know basis? For example should everyone in the organization have access to the payroll database?!

9. Put emphasis on Data Loss Prevention (DLP).

Data loss prevention puts into consideration the security of data, both in motion and static. With the advent of portable devices and memory sticks that have lots of storage space, it very easy for someone to copy lots of corporate data on a removable media in just a matter of seconds. I have heard of stories of disgruntled employees selling clients databases to the competition. Data loss prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption).

Also how does your organization handle hard disks that have sensitive information and need disposing off? How about paper documents? I bet one could get lots of information by just dumpster diving into corporate trash bins (am told some investigative journalists use this method to “snoop”). There is no excuse for organization not to shred sensitive paper documents, given all the shredders available on the market; some can even shred plastic and CD media.

10. Don’t go it alone

Securing information assets is becoming more vital every day; unfortunately many organizations do not consider it important until a breach has actually happened.

You can imagine the direct cost of not being proactive as far as information security is concerned, which could include, the cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance and indirect costs e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes, and so many. Therefore it’s crucial to seek for external assistance from an external firm or consultant if need be, to assist in areas like:

- Carrying out an IT audit and Penetration Tests a.k.a “Ethical hacking” on your own infrastructure.
- Assisting with Information security awareness training for your staff etc…

It’s important to note that securing information assets in an enterprise is not just an event, but is a continued process that requires an ongoing effort and support of the top management, this is because the threats to information systems continues to evolve and change daily.

References:

1 itgovernance
2 itlibrary.org
3 http://www.27000.org

Article Source:

http://EzineArticles.com/?expert=Thomas_Bbosa

Compliance

It is possible to have excellent security and not be compliant, and it is also possible to pass a compliance audit and have a very poor organization security. The illusion that compliance equals security has led organizations to excessively spend on compliance at the detriment of security.

There are five principles in balancing compliance with security

o Base your security program on a security framework

o Leverage compliance budgets for information security controls

o Automate policy compliance and auditing

o Be prepared to manage change in threats and regulations

o Create an effective awareness and training program

Different organizations, information security professionals and consulting companies approach security program in different ways. Many organizations follow the ISO 17799 approach (International Organization for Standardization) and a few follow the COBIT standards (Control Objectives for Information and Related Technology) which are both great starting points. But there is another approach called the Sherwood applied Business Security Architecture (SABSA).

The SABSA model uses different roles that work with the following perspective:

o Business owner – Contextual

o Architecture – Conceptual

o Designer – Logical

o Builder – Physical

o Tradesman – Component

o Facilities Manager – Operational

SABSA model slices an enterprise into six different layers so that security can be more focused, it is more business oriented. Although the model is theoretical and academic in nature, once an organization has its security building blocks in place it can evolve past the ISO model and implement the SABSA.

6.1 Complying with BS7799/ISO 17799

Developing and implementing considerations from Business and Technical Perspective consists of:

Part 1

o Code of practice for information security management

Part 2

o Specification for information management systems

Why Implement:

o Helps realise the security policy

o Builds a level of business confidence

o Easy and flexible architecture

o Common standard

o Position of strength

o Ability to leverage business benefits

o Develop best practice

o Introduce bench mark standards

o Recognised international standards

The standard was developed from the following legislation:

o Data Protection Act 1984

o Data Protection Act 1988

o Data Protection Act 1998

o Computer Misuse Act 1990

o Copyright Designs and Patents Act 1988

o Human Rights Act 2000

o Regulatory Investigatory Powers Act 2000 (RIP Bill)

BS7799 Contents of Part 1

o Scope

o Terms and definitions

o Security policy

o Security organisation

o Asset classification and control

o Personnel security

o Physical and environmental security

o Communications and operations management

o Access control

o Systems development and maintenance

o Business continuity management

o Compliance

BS7799 Contents of Part 2

o Scope

o Terms and definitions

o Information security management system requirements

o Detailed controls

1. Security policy

2. Security organisation

3. Asset classification and control

4. Personnel security

5. Physical and environmental security

6. Communications and environmental security

7. Communications and operations management

8. Access control

9. System development and maintenance

10. Business continuity management

11. Compliance

Critical Success Factors

o Policies, Objectives and Activities that reflect business objectives

o Appropriate resources

o Consistency with culture

o Visible support and commitment from management

o Clear understanding of the security requirements and risk

o Effective marketing of security to all employees

o Distribution of information to all partners, suppliers, employees and contractors

o Providing appropriate training and education

o Key performance indicators

Selecting Controls

o Identify business objectives

o Identify business strategy

o Identify security strategy

o Identify and implement controls

Key controls

1. Information security policy document

2. Allocation of security responsibilities

3. Information security education and training

4. Reporting of security incidents

5. Virus controls

6. Business continuity planning

7. Control of proprietary software copying

8. Safeguarding of company records

9. Compliance with data protection legislation

10. Compliance with the security policy

Certification requirements for BS7799 /ISO 17799

Organisation shall establish and maintain a document ISMS

Management framework

1. Risk management approach

2. Identify control objectives and controls

3. Documented evidence:

- evidence of the actions undertaken

- a summary of the management frame work

- the procedures adopted to implement the controls

- the procedures covering the management and operation of the ISMS

In 2005 International Organization for Standardization released a specification, ISO 17799 in 2005 which establishes guidelines and general principles for initiating, implementing, maintaining and improving information security in an organization. They intended to be implemented to meet the requirements identified by a risk assessment.

Management framework

o Define the policy

o Define the scope of the information security management system

1. Characteristics of the organisation

2. Location

3. Assets

4. Technology

o Undertake risk assessment

1. Threats

2. Vulnerabilities

3. Impacts

4. Degree of risk

o Manage the risks

o Select control objectives & controls

o Prepare statement of applicability

1. Selected control objectives and rationale

2. Exclusion of controls and rationale

6.2 Applying BS7799/ISO17799

o A Practical Approach

o Gap Analysis

o Action Planning

o Risk Assessment and Treatment

o Developing an improvement programme

o Effective Statement of Applicability

o Planning and Costing a BS7799/ISO17799 project

o ISMS (Information Security Management System)

o Audit

How to do BS7799/ISO17799 Projects

Who to Interview

Security Management ——–Sec Policy/Organisation

Security Management ———–Asset Classification and Control

Typically HR ——————— Personnel Security

Site Security/IT manager——- Physical and Environmental Security

Business Manager/IT Manager————— Communications and Operations Management

System Administration Staff—————- Access Control

Development Staff————– System development

Business Continuity Manager———- Business Continuity Management

Internal Audit/Legal————– Compliance

Appropriate staff/line Management———– Business/Info Process

A Good Gap Analysis

o Clearly defined scope

o Clear findings against each control (good areas as well as gaps)

o The ISMS

o Clear practical and appropriate recommendations leading to compliance

o All recommendations reinforced and supported by findings

Finalising Resources

Resourcing:

o Match actions with in-house resources and confirm availability

o Identify availability shortfalls

o Identify where specialist support is needed

o Obtain necessary approvals for SIP

Ensure the group have access to the full Gap Analysis Report for guidance

Establish the ISMS through the creation of the Information Security Forum

6.3 Risk Assessment and BS7799/ISO17799

o Define a systematic approach to risk assessment

o Identify the risk

o Assess the risk

o Select control objectives and controls for the treatment of risk

o Identify and evaluate options for the treatment of risk

Generic Steps

o Identify assets

o Identify asset dependencies

o Business Impact Assessment (Asset Valuation)

o Threat Assessment

o Determine levels of risk (Risk Assessment)

o Countermeasures Selection

o Map to BS7799/ISO17799

o Risk Treatment

Document Management

BS7799/ISO17799 section 4.3 calls for

o Distribution /Availability to staff as required

o Version/ Change control

o Documents to be dated (Including previous versions)

o By implications, uniquely identifiable and fully controlled

ISO 9001 compliance is an advantage

Appropriate change control is needed for intranet solution

10 Tips for Success

1. Ensure senior management involvement

2. Recommend a realistic and useful scope

3. Develop a good risk assessment

4. Promote Active Risk management

5. Interpret the controls for the scope

6. Ensure early Security Forum creation

7. Ensure maximum use of the Statement of Applicability

8. Get internal third parties to sign up

9. Get audits underway to raise assurance

10. Take staff awareness seriously

Article Source:

http://EzineArticles.com/?expert=Emmanuel_Sodipo