Kevin Henry speaks at the ISACA, Information Security & Risk Management Conference.

14-16 November 2011 | Barcelona, Spain

Kevin Henry will speak at ISC2 Security Congress, Orlando FL between 19th -21st of September 2011

The challenge is that technology is often underutilized. We have tools that have far more potential than is being used. We all use word processors and other office tools that have a lot more capabilities and features than we normally use. These are features that we have paid for, but like a good book, sit on the shelf unused until we reach out to access them. Life is so busy that we often fail to look into what additional improvements are already there and available. This is a very costly problem when we look at the information management and security tools that organizations have purchased and installed.

During consulting assignments, l often found organizations asking me what tools they should buy, and what new solutions are out there to address their perceived problems, when in fact they already have the capabilities they are looking for on the tools that they already have. We need to take more time to learn how to use the tools we have and work with our vendors to get the most possible benefit from the investment that we have already made without always looking for another tool.

contact

A tremendous amount of money and time is spent every year on IT systems. This money goes towards new tools, new software, equipment upgrades and ‘so-called’ improvements. The problem is that a significant amount of this expense does not provide nearly enough value for the organization. In addition, we are seeing that the focus on the function of a system is often made at the expense of due consideration of the security requirements. There have been a lot of proposals on how to change this situation over the years – often through new development methodologies and new standards, but the reality is that this cannot be changed by just changing the process. It can only be changed by providing better oversight and alignment between the business and the IT development efforts. Changing the process requires a new attitude, more accountability and a new perspective. This requires audit, management focus, and objective review of systems design, development and maintenance.

For this reason the field of system authorisation is emerging. System authorisation is the objective and independent review of systems development throughout the systems lifecycle with the final accountability not with IT nor with the IT system owner – but with a senior manager that provides the balance and organization-wide oversight of IT risk and development.

Every organization should consider this approach and see where it brings about a good result in ensuring that investment in IT does support the business and provide more value to the organization.

Infosecprofs provides excellent training in IT security and organization-wide architecture, and is one of the world leaders in the development of security authorisation educational progams.

contact

At a recent conference I heard a great comment from an Information Security professional from Chennai, India. He stated that ‘culture is defined as the beliefs we accept without question.’ That is an excellent perspective and the goal we must keep in mind regarding Information Security. Our goal is to accomplish this in all our Information Security Awareness efforts. Our goal is not to teach the attendees, or force them to see our point of view, but our real objective is to generate a new culture. A culture of security where everyone practices and follows good security practices without having to think about why or what they are doing. We have really been successful when we model a new security culture – one that everyone accepts and makes a natural part of their activities.

Network Perimeter Security as a proactive and preventive BCP Strategy

Perimeter security includes the establishment of a controlled perimeter surrounding networks. All incoming traffic will be filtered, blocked, analysed using a secure architecture structure and as well as network devices such as routers, firewalls, IDS and IPS systems, and switches. The objective is to ensure that external threats from the untrusted internet and internal threats from insiders do not enter systems in the operations secure zone. A secure perimeter can cut down on the spread of threats throughout the network which is therefore viewed as a BCP preventive strategy.

Most Appropriate Use
Network security is an key part of the defence-in-depth strategy and the active security model such as to requirement to protect, detect, respond, and recover from an attack. Perimeter security is also a BCP preventive strategy since the perimeter can be used to block and reduce the impacts of attacks aimed at compromising the availability of devices.

Advantages
Access to networks and systems can be tightly controlled. Users logging on to systems will be identified, authenticated and authorized before they gain access to sensitive data on the network. This will result in the enforcement of access control, the reduction of malware, and the reduction of attacks against communication systems that will seek to exploit vulnerabilities and compromise the availability, integrity and confidentiality of information.

Disadvantages
As cost is the major factor, the BCP Coordinator should work with the network administrators to develop a business case for the installation of devices related to network security. Costs also include the financial cost as well as the costs associated with bandwidth restrictions, latency, human resource costs and possible slowdown in the production environment.

The business case provided will show the return on security investment.

Typical Costs
Associated costs include the restriction of bandwidth and throughput associated with screening devices such as IDS, routers and firewalls.

Suggestions
The BCP Coordinator should work with the network staff (e.g. administrators, staff) to research products that can provide the high network perimeter security potential, high screening and blocking capabilities while at the same time promise a lower hit on the throughput, latency and bandwidth consumption

Information Security and Governance are terms being used frequently today, but they are almost as frequently misunderstood. It can be difficult to explain what security and governance really are, and why they are important. Security is often misunderstood as a hindrance to ‘getting the job done’ or productivity. Instead, we need to change the perception of security to that of a business support – a way to strengthen the business and make it better at what it does best. Security is a way to provide protection and stability, resilience and trust, and ensure that the business has one less thing to worry about.
Information security is focused on ensuring that the business has the data it needs to meet its mission, and that that data is accurate, current, trustworthy and available when needed – but only to the right people.
The next term mentioned in the title is ‘governance’. Governance can be described in many ways, but let’s focus for a moment the responsibility and accountability aspects of governance. To govern, to manage, to oversee is a term of responsibility. It indicates the role of a person that takes care of assets. protects the interests of others, and manages a program to use resources effectively.
Information Security requires governance. It requires oversight, planning, design, review, and correction where necessary. Security is a goal that must be described, planned-for, executed on and enforced. This is governance – the wise use of the tools at hand and the people available to ensure that the business has the infrastructure, data and procedures that will help it meet its goals and objectives.