10 Elements Of A Good Security Plan

Experts agree the first step in providing strong security around access to corporate information is to develop a security plan. And while that sounds easy enough it requires some time and effort and an understanding that the plan has to be flexible and consistently followed.

“A good security plan is a dynamic,” says Christopher Faulkner, CEO of CI Host, Dallas, Tex., a provider of managed Web hosting, dedicated hosting and colocation solutions. “You can’t build it one day and forget about it,” he advises.

That’s because security is a daily issue and IT leaders need to make sure that users are adhering to the plan and policies put in place.

“People do what you inspect, not what you expect. You have to remember that your biggest security threat, is from employees – people inside the company (including remote workers) already using the systems of the enterprise,” says Faulkner.

The focus of a good plan is making sure good solid policies are created, advises another expert.“The idea of a good security policy has moved away from just protecting the technology and more about protecting the actual information,” explains Doug Conorich, global solutions manager, managed security services for IBM, Blue Bell, Pa.

So what should be included in a good security plan? Conorich and Faulkner offered up 10 elements that you need to include:

The Need For Assessment

1. Cover All The Bases: In this case that means not only wired and wireless technologies, but also authorizations for applications (i.e., database) and information (i.e., customer information) access. “Identify the assets that you are trying to protect,” Faulkner says. “You can’t create a policy unless you identify those.”

For example, within databases you can segregate information by employee roles. So a salesman might be able to get a list of customer and phone numbers, but not billing information, Conorich says. People in the billing department would be able to get access to all of that.

2. Conduct A Risk Assessment: As part of the security planning process, perform a risk assessment by ranking company data and assets in priority order in terms of the value that would be lost due to theft or breaches. While the theft of an e-mail list may or may not be damaging, the theft of customer credit card information or other proprietary information is clearly bad.By prioritizing the assets you can map out how much security investment is required for good protection. This will highlight the wireless devices that could come under attack and the information assets that could be at risk. For example, there is a risk someone could obtain a password, but they would likely would need to have expert knowledge of the system to do damage so that risk point is low. On the other hand, the threat of a buffer overflow could do some damage and should be considered a high ranking risk if it is a valid issue, Conorich says.

3. Classify The Data: Institute companywide classification of data: What is public, private and who has access to what data. How is data stored? How is it backed up? For example, public information would be anything you wouldn’t care if a competitor sees, like advertising information. Private information, like how a product is developed, would be private, Conorich says. Security at this point is also tied to the type of backup due to the potential of losing movable media (like tapes).

4. Map Out A Policy: Outline a need-to-know philosophy around security information, Faulkner recommends. Front-line people don’t need to know everything. Include checks and balances so to ensure that proper policies, procedures are adhered to when information is accessed. Everyone needs to understand policies and guidelines, Faulkner adds. If all information is denied to frontline people, they will begin to fill in the gaps with their own imaginations.

5. Put A Policy Leader In Place: Tap a specific IT employee or business manager to be in charge of the security policy, so he or she can change it as new information becomes available, Conorich advises. “You have to make sure that what you are doing continues to be best practice.”

This policy leader should be responsible for updating the security policy on a regular periodic basis, and make changes any time there are major security changes within the company, like new remote access capability. There may be new applications that come online or compliance rules might change (i.e., Sarbanes-Oxley), Conorich points out. So policies must be updated to comply with the new environment.User Education Important

6.What A Good Policy Includes: The security policy should outline what company data should be encrypted, how it should be encrypted (64-bit, 128-bit, etc.), as well as spell out who has access rights to the encryption key(s). Similarly, the security policy should include details about passwords, including how often they should be changed and securing the password (i.e., no notes taped to the desktop).

By encrypting all sensitive data, a company doesn’t lose more than a wireless device if a laptop, PDA, etc., is stolen or gets misplaced. This also helps protect data on movable media, like tapes, as well as data in stationary company systems, like servers and mainframes. For example, if ChoicePoint or Bank of America had encrypted their data the recent security breaches would have been a non-issue, Conorich points out.

7. Don’t Restrict Policy Reach: Don’t limit the security plan to laptops and traditional computers and network systems. Earlier this year, the first PDA virus made its way into the market. With PDAs and even cell phones becoming much more like computers, it’s important that they be included in any type of security plan, Conorich explains.

Therefore the plan should include information about proper use of these devices on network systems as well as security precautions that users of these devices are expected to follow (i.e., automatic updates for security patches). Denying access for outside devices is probably the best policy, Faulkner says. But some firms may consider that to be too restrictive.8. Connectivity Guidelines Important: A wireless security policy should include information about proper connection policies, remotely or within the organization. For example, wireless devices shouldn’t be connected to the WLAN (inside the company) and the internal LAN at the same time, because this exposes company information to the outside world at the same time, Conorich notes.

9. Outline User Restrictions: The security policy should limit and restrict access of wireless communications, Faulkner recommends, as the technology’s nature is very exposed at this point. “It’s just too insecure. Wireless security is an oxymoron. If it’s wireless, it’s not secure” due to people “sniffing” the airwave for wireless signals, he says.

That’s why he recommends that any sensitive company data be communicated only over secured lines, rather than over the airwaves. Faulkner points out that hackers have been known to set up “evil twin” access points that appear to be those of popular hotspots or of the company, and boost the access point’s signal to “encourage” the wireless user to link to the rogue device.

10. Outline Impact Of Policy Infractions: No policy is worth its salt if there is no enforcement or stipulated ramifications if the policy is not followed. IT leaders should work with HR and other business executives to map out infraction violation ‘punishments’ and as corporate data is a company’s most valuable asset the punishment needs to be tough.

As Faulkner advises, any type of strict disciplinary policy needs to be preceded by intense education. The goal is security, not punishment. Education, if done properly, increases the security and alleviates or at least lessens the need for punitive action.0