- Email: [email protected]
It's more than just the gear
c o l u m n
Mark Egan
It’s more than just the gear Mark Egan It’s tempting to view technology as the answer to most enterprise security woes. After all, as technology is a big part of the security problem, shouldn’t it also be the solution? Not exactly.
sk yourself what might happen if a company invested in anti-spam, intrusion detection, antivirus, firewalls, or other technologies, but had no security staff on hand to respond to alerts generated by those technologies, and no documented procedures for employees to follow. No technology in the world could cut through the chaos that would ensue.
A
In reality, technology is effective only when it is implemented correctly and when processes are in place to ensure its continued effectiveness. Indeed, information security involves people and processes as well as technology. It is people rather than products that run a corporation’s information security programme. Processes serve as a guide to help staff do their duties while protecting corporate security. Technology is a toolset that supports people and processes and facilitates security.
The people component is the most important and the most challenging.
While no universal, one-size-fits-all model exists for security organizations, effective ones share a number of characteristics and components. One of the most important of these is executive involvement. Regardless of the company size, an information security manager reports to executive staff and, in some cases, the CEO.That makes sense now that information security is a boardroom issue, and more and more industry and government regulators insist on compliance with formal information security measures. In these security-savvy organizations, information security staff have to help set the goals and objectives, and build the strategies of their security programme as well as with conduct compliance and audit work to ensure that the programme works and achieves the set goals. In some organizations, security staff may also perform normal day-to-day activities such as patch servers, maintain firewall rules, and scan the environment for vulnerabilities, even though IT staff can handled many of them. Other organizations prefer to outsource all or part of their security duties to a managed security services provider.
Infosecurity Today July/August 2005
People
The people component of an information security program is the most important and the most challenging.The right security organization can often compensate for deficiencies in processes or technology.
Whether outsourced or not, information security specialists are the foundation of a successful information security programme. Their strategic and tactical activities help ensure that the company’s security processes and products
defend the organization effectively from current and future threats. Processes and procedures
Security processes, the second component of information security, comprise policies, standards, and procedures. Policies provide the framework for an information security programme, while standards define the compulsory requirements for technology use throughout the company, and procedures are the step-by-step instructions that guide employees in how to conduct their work in a secure manner.
Effective security organizations share a number of characteristics and components. Processes clarify key areas of a corporate information security program.They cover account administration, remote access, vulnerability management, acceptable use policies, security awareness, and emergency response.The idea is to formalize the process of implementing security—to detail the security goals of the organization as well as the practices to be employed. But that’s not all. Once these processes are established, employee compliance with them must be measured, especially since applying security processes often requires
44
c o l u
It’s no surprise that corporate information security processes often adapt to changes in the technology and threat landscapes. Creating and maintaining effective processes is a balancing act between enabling employees to do their jobs and ensuring the integrity and confidentiality of information. But it is essential to maintain the dynamic nature of this key security component to enable organizations to apply the latest practices and products. Otherwise the organization can no longer respond to emerging threats that target an ever-changing range of systems and software. A few good tools
Technology is the final component of information security.With technology, as with all other areas of security, quality is often more important than quantity.Too often companies buy and install a multitude of security products in an attempt to cover all bases, only to find that their efforts raise even more problems. While many innovative and highly effective information security technologies are available today, it is better to have fewer, properly configured solutions than to have many misconfigured ones.
For example, because the gateway layer marks the interface between the internet and the corporate extranet, unauthorized traffic must be stopped from passing across it. Malicious code
It is better to have fewer, properly configured solutions than to have many misconfigured ones. At the server layer are shared computers that provide a specific function for the company. Because these computers are on the corporate network and enable employees to perform many of their day-to-day operations, they need a slightly different set of protective technologies. All servers require antivirus to protect them from getting and spreading viruses. Hostand network-based intrusion detection systems are also valuable, as they give organizations a more complete picture of attempted attacks on one or more systems on the network. In addition, vulnerability management offers an inside-out view of the network that helps identify possible weak spots. The client makes up the final layer of the computing environment. Clients include laptops, desktops, and even personal digital assistants (PDAs).These too require their own firewall, antivirus, and intrusion detection—particularly if they move from place to place with the employee. By protecting all clients
Technology will always be a key component in any information security program. Properly configured, information security solutions can give enterprises a very potent set of tools for thwarting attacks.What’s more, technology is most effective when it is implemented correctly and supported by appropriate processes and procedures. In the end, it is only with the right combination of people, processes, and technology, that enterprises can fashion a robust information security program that can ward off today’s cyberthreats and ensure the integrity of their information. About the author Mark Egan is Symantec’s chief information officer and vice president of information technology. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program. He holds a master’s degree in finance and international business from the University of San Diego and a bachelor’s degree in computer sciences from the University of Clarion. Egan brings more than 25 years’ experience in information technology from a variety of industries. He is a member of the American Management Association’s Information Systems and Technology Council and serves on the technical advisory boards for Golden Gate University and the Center for Electronic Business at San Francisco State University. Egan is also co-chair of TechNet’s Cyber Security Practices Adoption Campaign. Egan is author of Executive Guide to Information Security:Threats, Challenges, and Solutions from Addison Wesley and was a contributing author to ‘CIO Wisdom’. Egan is also a frequent speaker on best practices for information technology and information security.
Infosecurity Today July/August 2005
The most powerful security infrastructures provide defence-indepth.This involves segmenting the corporate computing environment into layers such as the gateway, server, and client. Large enterprises can have hundreds or even thousands of these devices, and each device or layer requires its own type of protection.
Another prudent technology choice for the gateway is intrusion detection. This detects any suspicious or malicious traffic that was able to sneak through the other defences.
from internet threats, the organization also protects its overall network.
n
Evolution
such as viruses, worms, and Trojan horses, as well as spam, must be stopped too.Thus gateways typically need a firewall, antivirus software, and content filtering or anti-spam tools.
m
significant time and resource investments that must be weighed against results.
45
Mark Egan
It’s more than just the gear Mark Egan It’s tempting to view technology as the answer to most enterprise security woes. After all, as technology is a big part of the security problem, shouldn’t it also be the solution? Not exactly.
sk yourself what might happen if a company invested in anti-spam, intrusion detection, antivirus, firewalls, or other technologies, but had no security staff on hand to respond to alerts generated by those technologies, and no documented procedures for employees to follow. No technology in the world could cut through the chaos that would ensue.
A
In reality, technology is effective only when it is implemented correctly and when processes are in place to ensure its continued effectiveness. Indeed, information security involves people and processes as well as technology. It is people rather than products that run a corporation’s information security programme. Processes serve as a guide to help staff do their duties while protecting corporate security. Technology is a toolset that supports people and processes and facilitates security.
The people component is the most important and the most challenging.
While no universal, one-size-fits-all model exists for security organizations, effective ones share a number of characteristics and components. One of the most important of these is executive involvement. Regardless of the company size, an information security manager reports to executive staff and, in some cases, the CEO.That makes sense now that information security is a boardroom issue, and more and more industry and government regulators insist on compliance with formal information security measures. In these security-savvy organizations, information security staff have to help set the goals and objectives, and build the strategies of their security programme as well as with conduct compliance and audit work to ensure that the programme works and achieves the set goals. In some organizations, security staff may also perform normal day-to-day activities such as patch servers, maintain firewall rules, and scan the environment for vulnerabilities, even though IT staff can handled many of them. Other organizations prefer to outsource all or part of their security duties to a managed security services provider.
Infosecurity Today July/August 2005
People
The people component of an information security program is the most important and the most challenging.The right security organization can often compensate for deficiencies in processes or technology.
Whether outsourced or not, information security specialists are the foundation of a successful information security programme. Their strategic and tactical activities help ensure that the company’s security processes and products
defend the organization effectively from current and future threats. Processes and procedures
Security processes, the second component of information security, comprise policies, standards, and procedures. Policies provide the framework for an information security programme, while standards define the compulsory requirements for technology use throughout the company, and procedures are the step-by-step instructions that guide employees in how to conduct their work in a secure manner.
Effective security organizations share a number of characteristics and components. Processes clarify key areas of a corporate information security program.They cover account administration, remote access, vulnerability management, acceptable use policies, security awareness, and emergency response.The idea is to formalize the process of implementing security—to detail the security goals of the organization as well as the practices to be employed. But that’s not all. Once these processes are established, employee compliance with them must be measured, especially since applying security processes often requires
44
c o l u
It’s no surprise that corporate information security processes often adapt to changes in the technology and threat landscapes. Creating and maintaining effective processes is a balancing act between enabling employees to do their jobs and ensuring the integrity and confidentiality of information. But it is essential to maintain the dynamic nature of this key security component to enable organizations to apply the latest practices and products. Otherwise the organization can no longer respond to emerging threats that target an ever-changing range of systems and software. A few good tools
Technology is the final component of information security.With technology, as with all other areas of security, quality is often more important than quantity.Too often companies buy and install a multitude of security products in an attempt to cover all bases, only to find that their efforts raise even more problems. While many innovative and highly effective information security technologies are available today, it is better to have fewer, properly configured solutions than to have many misconfigured ones.
For example, because the gateway layer marks the interface between the internet and the corporate extranet, unauthorized traffic must be stopped from passing across it. Malicious code
It is better to have fewer, properly configured solutions than to have many misconfigured ones. At the server layer are shared computers that provide a specific function for the company. Because these computers are on the corporate network and enable employees to perform many of their day-to-day operations, they need a slightly different set of protective technologies. All servers require antivirus to protect them from getting and spreading viruses. Hostand network-based intrusion detection systems are also valuable, as they give organizations a more complete picture of attempted attacks on one or more systems on the network. In addition, vulnerability management offers an inside-out view of the network that helps identify possible weak spots. The client makes up the final layer of the computing environment. Clients include laptops, desktops, and even personal digital assistants (PDAs).These too require their own firewall, antivirus, and intrusion detection—particularly if they move from place to place with the employee. By protecting all clients
Technology will always be a key component in any information security program. Properly configured, information security solutions can give enterprises a very potent set of tools for thwarting attacks.What’s more, technology is most effective when it is implemented correctly and supported by appropriate processes and procedures. In the end, it is only with the right combination of people, processes, and technology, that enterprises can fashion a robust information security program that can ward off today’s cyberthreats and ensure the integrity of their information. About the author Mark Egan is Symantec’s chief information officer and vice president of information technology. He is responsible for the management of Symantec’s internal business systems, computing infrastructure, and information security program. He holds a master’s degree in finance and international business from the University of San Diego and a bachelor’s degree in computer sciences from the University of Clarion. Egan brings more than 25 years’ experience in information technology from a variety of industries. He is a member of the American Management Association’s Information Systems and Technology Council and serves on the technical advisory boards for Golden Gate University and the Center for Electronic Business at San Francisco State University. Egan is also co-chair of TechNet’s Cyber Security Practices Adoption Campaign. Egan is author of Executive Guide to Information Security:Threats, Challenges, and Solutions from Addison Wesley and was a contributing author to ‘CIO Wisdom’. Egan is also a frequent speaker on best practices for information technology and information security.
Infosecurity Today July/August 2005
The most powerful security infrastructures provide defence-indepth.This involves segmenting the corporate computing environment into layers such as the gateway, server, and client. Large enterprises can have hundreds or even thousands of these devices, and each device or layer requires its own type of protection.
Another prudent technology choice for the gateway is intrusion detection. This detects any suspicious or malicious traffic that was able to sneak through the other defences.
from internet threats, the organization also protects its overall network.
n
Evolution
such as viruses, worms, and Trojan horses, as well as spam, must be stopped too.Thus gateways typically need a firewall, antivirus software, and content filtering or anti-spam tools.
m
significant time and resource investments that must be weighed against results.
45