The modern Enterprise IT Infrastructure as we know it today has evolved over the years, from the huge computers in the mid 1940s, which could not even do what our small calculators can do today, to the years of mainframes. We now have high processor computers with lots of storage space and high speeds that are easily affordable. We have seen a shift of focus from centralized to decentralized, distributed, network computing within enterprises. All these developments have been great, as they have eased the way we do business, but also brought myriad of enterprise security issues.

In this article we look at the top 10 enterprise security controls that we could deploy to reduce on the effect of known enterprise infrastructure security issues.

1. Take a holistic approach to security

Successful enterprise security requires good planning and a holistic security strategy that considers everything in the organizations, from business processes to the people, on an ongoing basis. Many at times enterprises consider costly technical solutions, as a reaction to security breaches.

2. Develop an Enterprise security program / policy

Organizations need to develop security programs that outline the Roles, policy, procedures, standards and guidelines for the Enterprise security.

Roles: Outline who is responsible for what e.g. Chief Information security officer (ISO) could be s responsible for ensuring a good security posture for the organization.

Policies: These are general organization wide statements that set out the mandatory requirements to ensure a minimum security level. Examples include: Acceptable E-mail Use Policy, Internet use policy, Mobile devices use policy etc…

Standards: these are derived from policies, laying out specific steps or processes required to meet a certain requirement. For example a requirement that all email communication be encrypted.

3. Manage Risk – On a continuous basis

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This involves identifying the assets in the organization that you need to secure; these could include human resources, technology, trade secrets, patents, copyrights etc… Then identify all possible risks that could affect the availability, confidentiality and integrity of these assets. Management can then decide what to do with the identified risks; risks can either be mitigated or transferred to a third party like an insurance company.

4. Refine Business Processes: Adopt Industry best Practices

Beyond the need to manage Enterprise IT technology, is the need to establish and employ best practices and processes to optimize IT services. A number of internationally recognized frameworks have been developed already to describe effective ICT infrastructure management processes. Hence there is no need to re-invent the wheel.

Examples include:
COBIT - Control Objectives for Information and related Technology {1},
ITIL - The Information Technology Infrastructure Library {2}
and ISO 27001 {3}

5. Streamline physical / environmental security

Physical and environmental security is vital in protection of information assets and ICT Infrastructure in the Enterprise. Physical security should look at issue like, monitoring and detection e.g. security guards, alarms, CCTV. Access control and deterrent solutions e.g locks, fencing, lighting, mantraps, Biometrics etc. Environmental control and design, server room temperature, humidity, air conditioning, static electricity, fire suppression and detection, Power generation and backup, all these should be well streamlined.

6. Deploy content filtering / inspection solutions.

As content, (email, internet traffic etc…) moves in and out of the enterprise, there is need for it to be managed well to avoid any security breaches and attacks. Controls could include:

- Web filters to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection.

- Spam filters / Firewalls to protect your email server from spam, virus, spoofing, phishing and spyware attacks.

- Unified Threat management solutions(UTM): Several organization choose to deploy UTM solutions that offer industry leading functionalities within one package including Intrusion Prevention System; Antivirus with Antispam; Web Filtering; Antispam; Firewall; SSL – VPN; Traffic Shaping and many more.

7. Manage the inside of the Corporate Network

We have already seen that there are increased security breaches that come from within the enterprise; therefore it’s vital to manage the inside of the enterprise network very well. Some of the steps we could take include the following:

- Taking an inventory of all authorized and unauthorized software and devices on the network.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Continuous Vulnerability Assessment, patch management and Remediation
- Limitation and Control of Network Ports, Protocols, and Services

8. Have an Identity and Rights Management System

Identity management is very vital and important to avoid user rights violation and excessive rights issue. Put in place procedures, guideline and a system for Identity management, which involves creation of users, change of user rights, removal of rights, resetting lost user password. This also calls for Controlled Use of Administrative Privileges. Is access in the Enterprise based on a need to know basis? For example should everyone in the organization have access to the payroll database?!

9. Put emphasis on Data Loss Prevention (DLP).

Data loss prevention puts into consideration the security of data, both in motion and static. With the advent of portable devices and memory sticks that have lots of storage space, it very easy for someone to copy lots of corporate data on a removable media in just a matter of seconds. I have heard of stories of disgruntled employees selling clients databases to the competition. Data loss prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption).

Also how does your organization handle hard disks that have sensitive information and need disposing off? How about paper documents? I bet one could get lots of information by just dumpster diving into corporate trash bins (am told some investigative journalists use this method to “snoop”). There is no excuse for organization not to shred sensitive paper documents, given all the shredders available on the market; some can even shred plastic and CD media.

10. Don’t go it alone

Securing information assets is becoming more vital every day; unfortunately many organizations do not consider it important until a breach has actually happened.

You can imagine the direct cost of not being proactive as far as information security is concerned, which could include, the cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance and indirect costs e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes, and so many. Therefore it’s crucial to seek for external assistance from an external firm or consultant if need be, to assist in areas like:

- Carrying out an IT audit and Penetration Tests a.k.a “Ethical hacking” on your own infrastructure.
- Assisting with Information security awareness training for your staff etc…

It’s important to note that securing information assets in an enterprise is not just an event, but is a continued process that requires an ongoing effort and support of the top management, this is because the threats to information systems continues to evolve and change daily.

References:

1 itgovernance
2 itlibrary.org
3 http://www.27000.org

Article Source:

http://EzineArticles.com/?expert=Thomas_Bbosa

This guide gives a brief overview of Network Configuration Management, otherwise known as Network Change and Configuration Management, or NCCM.

Why does it matter?

In a large corporate network it is not uncommon to have hundreds or thousands of network devices. If you add up all your switches, routers, firewalls and other network appliances, and then you consider how many lines of configuration settings apply to each one, you can see there is a significant investment in your networks’ configuration which needs to be protected.

Contemporary network devices will not only switch and route data, but will vlan, prioritize and shape multi-media traffic in converged networks. The settings and parameters that determine how traffic is handled all forms part of the configuration of the device, and of course, it is vital that all interoperating devices are configured consistently in order to deliver a healthy and reliable network infrastructure.

Of course, the security of your network is dependent on the way your devices are configured. Corporate Governance policies all include Data Security considerations, such as Sarbanes Oxley (SOX), GLBA, NERC, PCI DSS, HIPAA, MiFID, SAS 70, ISO 27000, CoCo/GCSx Code of Connection and Basel II. These security standards have all been introduced to ensure certain minimum levels of security and integrity are maintained for company financial information and any stored personal details of customers. Your network is inherently vulnerable while default settings are used and it is vital that all known vulnerabilities are eliminated through

Therefore configuration settings for your network need to be backed up, verified for compliance with any corporate governance policy or security standard, and consistency of configs maintained across the estate.

Unapproved changes are the biggest threat to IT Service Delivery and the single most likely cause of failures in IT infrastructures. Any changes that occur outside of established tracking and approval processes are classed as Unapproved Changes and, by definition, are undocumented. No audit trail of a change being made means there is no foothold to start from when troubleshooting a problem. In fact EMA primary research has indicated that greater than 60% of all environment failures would be eliminated if unapproved changes were identified before affecting IT performance.

Unapproved changes are introduced from a variety of sources including security violations, inappropriate user activity, and administrator errors. Even a seemingly benign alteration can have far-reaching unintended consequences to IT security, performance and reliability. Over time, system configurations deviate further and further away from established standards. This is referred to as “configuration drift”, and the greater the drift, the greater the risk posed to the reliability of an IT support stack.

The Network Change and Configuration Management Solution

A practical solution to address these requirements is to automate config backups and change tracking, which has given rise to the Network Change and Configuration Management, or NCCM, market.

Change and Configuration Management (CCM) is the process for minimizing configuration drift by ensuring all environment settings are approved and consistent with established standards. CCM is composed of three distinct practices: configuration management which is the creation, documentation and updating of standard settings for all supported IT components; change management which is the process for identifying and approving new configuration settings and updates; and change detection which is an ongoing process of monitoring for inappropriate changes. Achieving compliance objectives for ensuring IT infrastructure reliability requires automated solutions that address all three CCM disciplines.

How does it work?

To date, the development of network device hardware has taken place at a much faster rate than the equivalent development of network management or network configuration management software. In some respects it is understandable – Network Devices didn’t need managing or configuring originally as they were black boxes that either passed data or not. It was only with the advent of shared network infrastructures such as Ethernet that the configuration of addresses and protocols became necessary and some consideration made of the network topology to cater for traffic flows and volumes.

Simple Network Management Protocol (SNMP) came to the fore as a technology to address the need for performance, security and accounting statistics from the network, and at the same time, provide a means of changing the configuration of a network too.

As a standard however, anyone who has used SNMP will know that it is anything but consistent in all but the most basic statistics. It is common to find that the manufacturers’ ‘Management Information Database’ or MIB will purport to support certain performance metrics, only to find that different devices from the same manufacturer do not consistently report information via the MIB.

It is a similar story when using SNMP to gather or update configuration data – your version of Cisco Works may work well at backing up your 2950 switch configs but when you next upgrade to 3750 switches, you may quickly find out that Cisco Works suddenly needs an upgrade (at your expense, of course – ‘What do you mean, you pay annual maintenance? That is only to maintain your software, not to actually make it keep pace with product range developments!’)

Fortunately there are other, more ‘open’ ways to gather configuration settings from network devices – using TFTP in conjunction with scripted Telnet or SSH Telnet interactions is a consistent and more easily maintained approach that can be applied to all manufacturers and all devices.

All the above change and configuration management tasks can be automated using network change and configuration management (NCCM) software solutions, the best of which will cover desktop PCs together with change and configuration management of your servers and all network devices such as firewalls, switches and routers.

Article Source:

http://EzineArticles.com/?expert=Mark_Kedgley

Online businesses do best with online marketing. Online opportunity and online work is, at the moment, at its zenith. Online communities help me connect Defining Collaboration Communities and Collaboration Web 2. Perhaps a better way of stating the issue is: What should you do to make online work successful in your work area. Most people manage by deadlines, and making decisions based on the online input keeps it real. People need to know what they are expected to do when they come to the online work area.

Creative Commons licenses attach to the work and authorize everyone who comes in contact with the work to use it consistent with the license. Creative Commons licenses are expressed in three different formats: the Commons Deed (human-readable code), the Legal Code (lawyer-readable code); and the metadata (machine readable code). Creative Commons licenses give you the ability to dictate how others may exercise your copyright rights–such as the right of others to copy your work, make derivative works or adaptations of your work, to distribute your work and/or make money from your work.

You will want to check to see that the online program you are interested in provides solid, standards-based content, is an accredited program, and the instructors are licensed by the state certification agency in the subject area of the course. (There are some strong and mixed views about whether that would fly in a court if one is licensed as a counselor or therapist. The issue of license portability also was raised, specifically in the context of forensic evaluation as an expert, but of course the notion of having cooperation between states would have greater implications for the profession as more consultation of all varieties becomes easier to do through the use of technology. The license is a statement as to what others may do with your work, so you should select a license that matches what you are happy for others to do with your work. Finally, you can also consult with a lawyer to obtain advice on the best license for your needs.

What information should your organization know, but you don’t. This information will get you started as you explore the online learning opportunity. If you want to see how this online endeavor works, check out some of the information for the other “audiences,” like the online teacher. The manager needs intelligent courseware and user interfaces, tailored to his level, without commercial `fuzzy information but with opportunities for in-depth study. For example, keep a backup copy of files on a home computer so you can e-mail important information to students.

The contractor shall provide technical and analysis support to the government in support of the USMCC mission and COSPAS-SARSAT. -provide technical support for the analysis of false alarms and interferers, the definition of service areas, the addition of new [Search and Rescue Point of Contacts], the evaluation of new COSPAS-SARSAT related technology, and the commissioning of new MCCs. In support of its contention that the work is beyond the scope of SSAI’s contract, the protester points to the language in the SOW that expressly provides that SSAI is not responsible for maintaining any proprietary software, the fact that no express language covering the work is contained in the contract, the fact that when SSAI’s contract was let Techno-Sciences was responsible for maintaining the proprietary online software, and the fact that costs under the contract have exceeded the estimated price of the work.

NOAA responds that the work being performed by SSAI under these task orders is within the scope of SSAI’s contract because of the broad language of the technical support section of the SOW, which was said to cover support of the entire COSPAS-SARSAT mission as well as the USMCC effort–both online and offline functions–with the sole exception of maintaining Techno-Sciences’s proprietary software. The record shows that the express purpose of the SSAI contract is to provide NOAA with the required support necessary to operate and maintain the USMCC. Consistent with this purpose, the language in the scope of work broadly defines technical support to include, among other things, analysis of new or changing Cospas-Sarsat requirements, and other support as required by the Cospas-Sarsat mission. C of the SOW specifically requires SSAI to provide technical and analysis support to the government in support of the USMCC mission and Cospas-Sarsat, without any stated restrictions.

The Open University Business School (UK) is a pioneer in identifying competencies of online coaches. An advisory committee of business, government, and educational leaders was formed and met annually to provide input to the hubsite managers. In fact, many companies have used patents to protect novel ways of doing business on the Web. However, it’s advisable to officially register the copyright for Web content that has high business value, since official registration provides irrefutable proof of authorship. Creating and Managing Information Security Policies Survey: Companies disregard data security breach risks Blogging on corporate laptops is risky business Convergence of security and network management has pros and cons Embarking on the ISO 17799 certification trail How can a CSO take ownership of a security program. The goal of any online business is to sell something, be it a product, service, or information. Your web site should reflect how you want customers to feel about your business. One of the top Internet business strategies is to choose relevant keywords for the most efficient search engine optimization.

“The article includes research on tipping points and a review of issues involved in building successful networks. Online work is organized according to workshop topics. Each workshop has its own folder with work related to that workshop in the folder. Also make sure to follow these rules of “Netiquette” to make sure your work is the best it can be: Give credit in your works cited list to anyone whose work you use. This overview focuses on copyright, which explicitly protects “original works of authorship. For online works created after 1977, copyright lasts for 70 years after the death of author. For online works, you apply a Creative Commons license to a work by selecting the license that suits your preferences. For offline works, you should identify which Creative Commons license you wish to apply to your work and then mark your work either: (a) with a statement such as “This work is licensed under the Creative Commons [insert description] License. The only difference between applying a Creative Commons license to an offline work and applying it to an online work is that offline works will not include the metadata and, consequently, will not be identified via Creative Commons-customized search engines. So they apply to all works that are protected by copyright law.

One of the largest benefits in working online is that the work is immediately archived — that is, it is available to everyone, anytime they want to access it. Working online is also, in some ways, more secure. Does online working save time because people do not have to meet anymore. Best practice human resource strategies would give particular attention not only to better job design and different working conditions associated with online work, but also to sophisticated strategies for building and sustaining work and knowledge networks. The online work uses the World Wide Web and we are working to develop an increasingly user-friendly environment for this networking.

Article Source:

http://EzineArticles.com/?expert=Justin_Boyce