The modern Enterprise IT Infrastructure as we know it today has evolved over the years, from the huge computers in the mid 1940s, which could not even do what our small calculators can do today, to the years of mainframes. We now have high processor computers with lots of storage space and high speeds that are easily affordable. We have seen a shift of focus from centralized to decentralized, distributed, network computing within enterprises. All these developments have been great, as they have eased the way we do business, but also brought myriad of enterprise security issues.

In this article we look at the top 10 enterprise security controls that we could deploy to reduce on the effect of known enterprise infrastructure security issues.

1. Take a holistic approach to security

Successful enterprise security requires good planning and a holistic security strategy that considers everything in the organizations, from business processes to the people, on an ongoing basis. Many at times enterprises consider costly technical solutions, as a reaction to security breaches.

2. Develop an Enterprise security program / policy

Organizations need to develop security programs that outline the Roles, policy, procedures, standards and guidelines for the Enterprise security.

Roles: Outline who is responsible for what e.g. Chief Information security officer (ISO) could be s responsible for ensuring a good security posture for the organization.

Policies: These are general organization wide statements that set out the mandatory requirements to ensure a minimum security level. Examples include: Acceptable E-mail Use Policy, Internet use policy, Mobile devices use policy etc…

Standards: these are derived from policies, laying out specific steps or processes required to meet a certain requirement. For example a requirement that all email communication be encrypted.

3. Manage Risk – On a continuous basis

Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This involves identifying the assets in the organization that you need to secure; these could include human resources, technology, trade secrets, patents, copyrights etc… Then identify all possible risks that could affect the availability, confidentiality and integrity of these assets. Management can then decide what to do with the identified risks; risks can either be mitigated or transferred to a third party like an insurance company.

4. Refine Business Processes: Adopt Industry best Practices

Beyond the need to manage Enterprise IT technology, is the need to establish and employ best practices and processes to optimize IT services. A number of internationally recognized frameworks have been developed already to describe effective ICT infrastructure management processes. Hence there is no need to re-invent the wheel.

Examples include:
COBIT - Control Objectives for Information and related Technology {1},
ITIL - The Information Technology Infrastructure Library {2}
and ISO 27001 {3}

5. Streamline physical / environmental security

Physical and environmental security is vital in protection of information assets and ICT Infrastructure in the Enterprise. Physical security should look at issue like, monitoring and detection e.g. security guards, alarms, CCTV. Access control and deterrent solutions e.g locks, fencing, lighting, mantraps, Biometrics etc. Environmental control and design, server room temperature, humidity, air conditioning, static electricity, fire suppression and detection, Power generation and backup, all these should be well streamlined.

6. Deploy content filtering / inspection solutions.

As content, (email, internet traffic etc…) moves in and out of the enterprise, there is need for it to be managed well to avoid any security breaches and attacks. Controls could include:

- Web filters to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection.

- Spam filters / Firewalls to protect your email server from spam, virus, spoofing, phishing and spyware attacks.

- Unified Threat management solutions(UTM): Several organization choose to deploy UTM solutions that offer industry leading functionalities within one package including Intrusion Prevention System; Antivirus with Antispam; Web Filtering; Antispam; Firewall; SSL – VPN; Traffic Shaping and many more.

7. Manage the inside of the Corporate Network

We have already seen that there are increased security breaches that come from within the enterprise; therefore it’s vital to manage the inside of the enterprise network very well. Some of the steps we could take include the following:

- Taking an inventory of all authorized and unauthorized software and devices on the network.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Continuous Vulnerability Assessment, patch management and Remediation
- Limitation and Control of Network Ports, Protocols, and Services

8. Have an Identity and Rights Management System

Identity management is very vital and important to avoid user rights violation and excessive rights issue. Put in place procedures, guideline and a system for Identity management, which involves creation of users, change of user rights, removal of rights, resetting lost user password. This also calls for Controlled Use of Administrative Privileges. Is access in the Enterprise based on a need to know basis? For example should everyone in the organization have access to the payroll database?!

9. Put emphasis on Data Loss Prevention (DLP).

Data loss prevention puts into consideration the security of data, both in motion and static. With the advent of portable devices and memory sticks that have lots of storage space, it very easy for someone to copy lots of corporate data on a removable media in just a matter of seconds. I have heard of stories of disgruntled employees selling clients databases to the competition. Data loss prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption).

Also how does your organization handle hard disks that have sensitive information and need disposing off? How about paper documents? I bet one could get lots of information by just dumpster diving into corporate trash bins (am told some investigative journalists use this method to “snoop”). There is no excuse for organization not to shred sensitive paper documents, given all the shredders available on the market; some can even shred plastic and CD media.

10. Don’t go it alone

Securing information assets is becoming more vital every day; unfortunately many organizations do not consider it important until a breach has actually happened.

You can imagine the direct cost of not being proactive as far as information security is concerned, which could include, the cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance and indirect costs e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes, and so many. Therefore it’s crucial to seek for external assistance from an external firm or consultant if need be, to assist in areas like:

- Carrying out an IT audit and Penetration Tests a.k.a “Ethical hacking” on your own infrastructure.
- Assisting with Information security awareness training for your staff etc…

It’s important to note that securing information assets in an enterprise is not just an event, but is a continued process that requires an ongoing effort and support of the top management, this is because the threats to information systems continues to evolve and change daily.

References:

1 itgovernance
2 itlibrary.org
3 http://www.27000.org

Article Source:

http://EzineArticles.com/?expert=Thomas_Bbosa

This guide gives a brief overview of Network Configuration Management, otherwise known as Network Change and Configuration Management, or NCCM.

Why does it matter?

In a large corporate network it is not uncommon to have hundreds or thousands of network devices. If you add up all your switches, routers, firewalls and other network appliances, and then you consider how many lines of configuration settings apply to each one, you can see there is a significant investment in your networks’ configuration which needs to be protected.

Contemporary network devices will not only switch and route data, but will vlan, prioritize and shape multi-media traffic in converged networks. The settings and parameters that determine how traffic is handled all forms part of the configuration of the device, and of course, it is vital that all interoperating devices are configured consistently in order to deliver a healthy and reliable network infrastructure.

Of course, the security of your network is dependent on the way your devices are configured. Corporate Governance policies all include Data Security considerations, such as Sarbanes Oxley (SOX), GLBA, NERC, PCI DSS, HIPAA, MiFID, SAS 70, ISO 27000, CoCo/GCSx Code of Connection and Basel II. These security standards have all been introduced to ensure certain minimum levels of security and integrity are maintained for company financial information and any stored personal details of customers. Your network is inherently vulnerable while default settings are used and it is vital that all known vulnerabilities are eliminated through

Therefore configuration settings for your network need to be backed up, verified for compliance with any corporate governance policy or security standard, and consistency of configs maintained across the estate.

Unapproved changes are the biggest threat to IT Service Delivery and the single most likely cause of failures in IT infrastructures. Any changes that occur outside of established tracking and approval processes are classed as Unapproved Changes and, by definition, are undocumented. No audit trail of a change being made means there is no foothold to start from when troubleshooting a problem. In fact EMA primary research has indicated that greater than 60% of all environment failures would be eliminated if unapproved changes were identified before affecting IT performance.

Unapproved changes are introduced from a variety of sources including security violations, inappropriate user activity, and administrator errors. Even a seemingly benign alteration can have far-reaching unintended consequences to IT security, performance and reliability. Over time, system configurations deviate further and further away from established standards. This is referred to as “configuration drift”, and the greater the drift, the greater the risk posed to the reliability of an IT support stack.

The Network Change and Configuration Management Solution

A practical solution to address these requirements is to automate config backups and change tracking, which has given rise to the Network Change and Configuration Management, or NCCM, market.

Change and Configuration Management (CCM) is the process for minimizing configuration drift by ensuring all environment settings are approved and consistent with established standards. CCM is composed of three distinct practices: configuration management which is the creation, documentation and updating of standard settings for all supported IT components; change management which is the process for identifying and approving new configuration settings and updates; and change detection which is an ongoing process of monitoring for inappropriate changes. Achieving compliance objectives for ensuring IT infrastructure reliability requires automated solutions that address all three CCM disciplines.

How does it work?

To date, the development of network device hardware has taken place at a much faster rate than the equivalent development of network management or network configuration management software. In some respects it is understandable – Network Devices didn’t need managing or configuring originally as they were black boxes that either passed data or not. It was only with the advent of shared network infrastructures such as Ethernet that the configuration of addresses and protocols became necessary and some consideration made of the network topology to cater for traffic flows and volumes.

Simple Network Management Protocol (SNMP) came to the fore as a technology to address the need for performance, security and accounting statistics from the network, and at the same time, provide a means of changing the configuration of a network too.

As a standard however, anyone who has used SNMP will know that it is anything but consistent in all but the most basic statistics. It is common to find that the manufacturers’ ‘Management Information Database’ or MIB will purport to support certain performance metrics, only to find that different devices from the same manufacturer do not consistently report information via the MIB.

It is a similar story when using SNMP to gather or update configuration data – your version of Cisco Works may work well at backing up your 2950 switch configs but when you next upgrade to 3750 switches, you may quickly find out that Cisco Works suddenly needs an upgrade (at your expense, of course – ‘What do you mean, you pay annual maintenance? That is only to maintain your software, not to actually make it keep pace with product range developments!’)

Fortunately there are other, more ‘open’ ways to gather configuration settings from network devices – using TFTP in conjunction with scripted Telnet or SSH Telnet interactions is a consistent and more easily maintained approach that can be applied to all manufacturers and all devices.

All the above change and configuration management tasks can be automated using network change and configuration management (NCCM) software solutions, the best of which will cover desktop PCs together with change and configuration management of your servers and all network devices such as firewalls, switches and routers.

Article Source:

http://EzineArticles.com/?expert=Mark_Kedgley

Managers who claim that their organizations comply with ISO/IEC 27001:2005 but that they see no need to go through the bureaucracy of getting the ‘badge on the wall’ are only deceiving themselves. The reality, I suspect, is that the vast majority of organizations that won’t submit their Information Security Management Systems (ISMS) to an external audit against ISO 27001, fear that, when it comes to the push, their systems would fail the test.

Survey after survey tells a depressingly familiar information insecurity story. Most recently, the 10th annual CSI/FBI survey revealed that, amongst the security-conscious, information security control-focused members of the CSI, computer crime continued to have a significant financial impact. The average incident last year cost $204,000, and the top two security breaches were through virus attacks and unauthorized access – both of which are comprehensively controlled through the controls and management systems mandated by ISO 27001.

ISO27001 Effectively Manages Data Security

This evidence, combined with the findings of a recent survey carried out amongst UK-based organizations that ISO27001, suggests – somewhat contradictorily – that securing information is rarely the primary driver for achieving certification. The top reason was commercial advantage, summed up by one respondent who said that a certificate ‘gives customers confidence that our data security is well managed and certified by an independent source.’

And it’s that certification ‘by an independent source’ which is the real benefit of pursuing ISO 27001 in the first place. US regulators implicitly recognized the importance of external validation for information security effectiveness when they observed that: ‘the best way to strengthen US information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs.’

Achieve High Security Standards through ISO 27001

There are sectors in which the ‘badge on the wall’ debate is already history, and in which certification is now becoming a basic business requirement. UK cheque printers, for instance, are required to comply with a sectoral version of ISO27001 and suppliers to the NHS are expected to be on track for certification (there is now a health sector version of ISO17799) – even if the NHS itself still has some way to go. Business Process Outsourcing companies are finding it much simpler to provide a copy of their ISO 27001 certificate in their tender documentation than to answer detailed information security questionnaires.

Some of this might be expected: BS7799 was, after all, a British Standard, and the UK government’s Cabinet Office has, for several years now, driven take-up across the UK public sector. And as more and more local authorities and public-sector organizations become certified, so the pressure for their private-sector suppliers to achieve the standard will increase – and today’s early adopters are clearly stealing a march on their competitors.

Achieve Your Certificate in ISO 27001

Internationalised as http://www.27001.com“>ISO 27001, information security certification can also be a short cut to best-practice compliance with a wide range of data compliance and regulatory requirements, ranging from Data Protection Acts across the EU, privacy and breach legislation across the OECD, and specific legislation such as GLBA, HIPAA and Sarbanes Oxley. Determined outsourced suppliers are increasingly insisting that their certificate be taken into account when preparing for and costing their annual SAS 70 audit, with consequently substantial reductions in both the cost of, and disruption caused by, the audit.

Are organizations beginning to recognize that, in fact, it is the badge on the wall that counts? Yes, as evidenced by the increasing number of badges. It took about seven years (to December 1994) for the first 1,000 certificates to be achieved, but less than two and half years later there are more than 3,500 successes. And certification has a ripple effect: every organization that achieves ISO 27001 will expect its key suppliers to meet the standard. And this means that anyone who thinks the badge doesn’t count will have nowhere to hide when the CEO comes asking why your competitors have stolen your lunch.

Article Source:

http://EzineArticles.com/?expert=Alan_Calder