1. Policies and Procedures
Security policies are the foundation on which all standards, processes, and procedures are based. The policies need to address all aspects of information security and comply with all legislative and regulatory requirements. Standards define technologies and the implementation specifics to secure these technologies. Standards cover: operating systems (Win2000, Solaris, Linux, etc.); applications (IIS, Oracle, SQL, Instant Messenger, etc.); security technologies (firewalls, routers, VPN, IDS, security management systems, etc.); and other technologies (wireless, network attached storage, Web services, etc.). The processes and procedures of more mature organizations include a robust project life cycle that addresses security in all phases of a project.
2. Auditing and Monitoring
Compliance with the company’s policies is accomplished through regular audit and monitoring. Combinations of both internal and external audits are typically mandated by company policy and legislative and regulatory requirements. The return on investment for proactive monitoring can be substantial, as it can prevent a crisis or disaster from occurring. However, it is important to restrict monitoring to authorized personnel. In addition to privacy concerns, system monitoring tools can be intrusive if misconfigured or misused and any abnormalities found during the monitoring process or initiated by request can result in an investigation. The investigation process itself can often lead to litigation and any mishandling of evidence or an investigation can result in financial or reputation loss.
3. Employee Awareness
An ongoing employee or user awareness program that supports information security policies is an important ingredient for an effective information security program. Too often, information security is thought of as a technology issue. Although technology plays a significant role, user awareness needs to be carefully considered when establishing an information security program. Information security starts at the top. Management buy-in is crucial to a program’s success. Employee awareness needs to be an ongoing process, communicated over various mediums, with periodic checkpoints to access what is being absorbed and what is being ignored so that appropriate adjustments can be made.
4. Access Administration
Access administration includes authentication (password, token card, s/Key, etc.) and authorization (privileges). Network and application access can be administered over many systems. Systems used to administer access can include: Active Directory, Enterprise Resource Management Systems, Strong Authentication Systems, Certificate Authorities, etc. Systems that centralize or consolidate the administration of disparate access systems, such as Single Sign-On, can streamline the access assignment process and greatly reduce security risk associated with the addition, modification, or removal of privileges.
5. Security Infrastructure
Security technologies provide various layers of defense. Administration and troubleshooting efforts are typically proportional to the number of devices, number of users, business demands, and complexity of the environment.
6. Security Architecture
Technology continues to evolve at a very fast pace. New and existing applications can provide a competitive advantage. However, new technologies can also introduce risk. Evaluating, building and implementing technology can be an intensive process. As new technologies, such as wireless, Web services, or biometrics are introduced into the environment, the development of new security standards, processes, and procedures are required. While security architecture doesn’t always involve new technologies, similar risk assessment and mitigation evaluation processes are needed.
7. Vulnerability Management
It’s crucial to have a strong knowledge of technologies and the environment to keep on top of new vulnerabilities and risks. Additionally, it’s equally important to have a patch release management program that can provide needed patches in a timely manner. The alerts being monitored need to be aligned with the technologies used by the business and must be mapped to the owners of the technologies. Having detailed processes and procedures to address emergency situations is also essential. Mitigation measures often need to be determined, evaluated, and implemented quickly if critical patches cannot be applied immediately.
8. Business Continuity
Availability, confidentiality, and integrity are the cornerstone of security. Creating and testing disaster recovery and business continuity plans are vital. Plans should include not just recovery of systems, but prevention of unauthorized physical and electronic exposure.
9. Voice Systems
Voice systems and the conversations conducted over these systems is another area of concern. As convergence projects move traditional analog voice to Voice over Internet Protocol (VoIP), the security of voice systems becomes a greater concern.
10. Physical and Environmental Security
The physical security of an environment can have a direct impact on information security. Threats posed by water, fire, and vandalism need to be considered. Technologies and other safeguards, including building access controls, office space configurations, receptionists, and guards all help to secure an environment. While many of these responsibilities are found in other organizations, a tight bond between physical and information security needs to exist. The area of investigation necessitates that bond, as does the use of the network for transmitting images and leveraging personnel databases.
Typically, the more robust an information security organization, the more areas of responsibility it assumes. The level of depth with which each area of concern is addressed will vary from one organization to another. The nature of the business and the value of data and intellectual property are driving factors. Additional factors to consider include:
• The number of users and customers supported.
• The number of applications and application developers supported.
• A company’s desire to use new or leading-edge technologies.
• The number of different architectures and operating systems supported.
• The number of external connections supported, i.e., Internet, third-party connections, and remote access.
• The amount of e-business supported.
• The physical size and geographical dispersion of the company.
• Mergers, acquisitions, and separations.
• Legislative and regulatory requirements, i.e., Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley-Act (GLB), Sarbanes-Oxley Act.
In weighing risk, a company needs to consider the ramifications of a confidentiality, integrity, or availability breach from legal, employee, organizational, and public perspectives. So it’s important that an information security group has a sufficient number of resources – security professionals with the breadth of knowledge – to address all of these security areas. Although some pieces of information security can effectively be managed outside of the information security organization, a robust information security organization is usually able to move more swiftly and decisively. The ability to move quickly and decisively can be crucial during an information security crisis. A company can benefit from the "economies of scale" that a unified, single security organization addresses.
More important than knowing how to count its information security staff, a company needs to be able to count on its information security staff. When it comes to its information security organization, a company first and foremost needs to ask (itself) if its staff can adequately address all of its information security concerns.
Mark Donadio is the director of information security at KPMP LLP, and is based in Montvale, N.J. For more information, e-mail him at mdonadio@kpmg.com. KPMG LLP is the accounting and tax firm that has maintained a continuous commitment throughout its history to providing leadership, integrity, and quality to the capital markets. KPMG LLP (www.us.kpmg.com) is the U.S. member firm of KPMG International. KPMG International’s member firms have nearly 100,000 professionals, including 6,600 partners in 150 countries.
