Top 10 Information Systems Security Controls in the Enterprise
The modern Enterprise IT Infrastructure as we know it today has evolved over the years, from the huge computers in the mid 1940s, which could not even do what our small calculators can do today, to the years of mainframes. We now have high processor computers with lots of storage space and high speeds that are easily affordable. We have seen a shift of focus from centralized to decentralized, distributed, network computing within enterprises. All these developments have been great, as they have eased the way we do business, but also brought myriad of enterprise security issues.
In this article we look at the top 10 enterprise security controls that we could deploy to reduce on the effect of known enterprise infrastructure security issues.
1. Take a holistic approach to security
Successful enterprise security requires good planning and a holistic security strategy that considers everything in the organizations, from business processes to the people, on an ongoing basis. Many at times enterprises consider costly technical solutions, as a reaction to security breaches.
2. Develop an Enterprise security program / policy
Organizations need to develop security programs that outline the Roles, policy, procedures, standards and guidelines for the Enterprise security.
Roles: Outline who is responsible for what e.g. Chief Information security officer (ISO) could be s responsible for ensuring a good security posture for the organization.
Policies: These are general organization wide statements that set out the mandatory requirements to ensure a minimum security level. Examples include: Acceptable E-mail Use Policy, Internet use policy, Mobile devices use policy etc...
Standards: these are derived from policies, laying out specific steps or processes required to meet a certain requirement. For example a requirement that all email communication be encrypted.
3. Manage Risk - On a continuous basis
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This involves identifying the assets in the organization that you need to secure; these could include human resources, technology, trade secrets, patents, copyrights etc... Then identify all possible risks that could affect the availability, confidentiality and integrity of these assets. Management can then decide what to do with the identified risks; risks can either be mitigated or transferred to a third party like an insurance company.
4. Refine Business Processes: Adopt Industry best Practices
Beyond the need to manage Enterprise IT technology, is the need to establish and employ best practices and processes to optimize IT services. A number of internationally recognized frameworks have been developed already to describe effective ICT infrastructure management processes. Hence there is no need to re-invent the wheel.
Examples include:
COBIT - Control Objectives for Information and related Technology {1},
ITIL - The Information Technology Infrastructure Library {2}
and ISO 27001 {3}
5. Streamline physical / environmental security
Physical and environmental security is vital in protection of information assets and ICT Infrastructure in the Enterprise. Physical security should look at issue like, monitoring and detection e.g. security guards, alarms, CCTV. Access control and deterrent solutions e.g locks, fencing, lighting, mantraps, Biometrics etc. Environmental control and design, server room temperature, humidity, air conditioning, static electricity, fire suppression and detection, Power generation and backup, all these should be well streamlined.
6. Deploy content filtering / inspection solutions.
As content, (email, internet traffic etc...) moves in and out of the enterprise, there is need for it to be managed well to avoid any security breaches and attacks. Controls could include:
- Web filters to enforce organizational Internet usage policies through content filtering, application blocking, and best-of-breed spyware protection.
- Spam filters / Firewalls to protect your email server from spam, virus, spoofing, phishing and spyware attacks.
- Unified Threat management solutions(UTM): Several organization choose to deploy UTM solutions that offer industry leading functionalities within one package including Intrusion Prevention System; Antivirus with Antispam; Web Filtering; Antispam; Firewall; SSL - VPN; Traffic Shaping and many more.
7. Manage the inside of the Corporate Network
We have already seen that there are increased security breaches that come from within the enterprise; therefore it's vital to manage the inside of the enterprise network very well. Some of the steps we could take include the following:
- Taking an inventory of all authorized and unauthorized software and devices on the network.
- Maintenance, Monitoring, and Analysis of Audit Logs
- Continuous Vulnerability Assessment, patch management and Remediation
- Limitation and Control of Network Ports, Protocols, and Services
8. Have an Identity and Rights Management System
Identity management is very vital and important to avoid user rights violation and excessive rights issue. Put in place procedures, guideline and a system for Identity management, which involves creation of users, change of user rights, removal of rights, resetting lost user password. This also calls for Controlled Use of Administrative Privileges. Is access in the Enterprise based on a need to know basis? For example should everyone in the organization have access to the payroll database?!
9. Put emphasis on Data Loss Prevention (DLP).
Data loss prevention puts into consideration the security of data, both in motion and static. With the advent of portable devices and memory sticks that have lots of storage space, it very easy for someone to copy lots of corporate data on a removable media in just a matter of seconds. I have heard of stories of disgruntled employees selling clients databases to the competition. Data loss prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption).
Also how does your organization handle hard disks that have sensitive information and need disposing off? How about paper documents? I bet one could get lots of information by just dumpster diving into corporate trash bins (am told some investigative journalists use this method to "snoop"). There is no excuse for organization not to shred sensitive paper documents, given all the shredders available on the market; some can even shred plastic and CD media.
10. Don't go it alone
Securing information assets is becoming more vital every day; unfortunately many organizations do not consider it important until a breach has actually happened.
You can imagine the direct cost of not being proactive as far as information security is concerned, which could include, the cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance and indirect costs e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes, and so many. Therefore it's crucial to seek for external assistance from an external firm or consultant if need be, to assist in areas like:
- Carrying out an IT audit and Penetration Tests a.k.a "Ethical hacking" on your own infrastructure.
- Assisting with Information security awareness training for your staff etc...
It's important to note that securing information assets in an enterprise is not just an event, but is a continued process that requires an ongoing effort and support of the top management, this is because the threats to information systems continues to evolve and change daily.
References:
1 itgovernance
2 itlibrary.org
3 http://www.27000.org
Gloss