IT Security Management -- People, Procedures and Tools

IT Security Management:
People, Procedures and
Tools
Managing systems and information security can be daunting for NGOs
with a global presence and limited resources. Looking at the issue
through the lens of people, procedures and tools, this session will
discuss approaches for ensuring IT security to minimize risk to your
organization.
Andrew S. Baker, President of BrainWave Consulting Company, LLC

© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved.
• Outline some key premises about
Information Security
• Provide suggestions for dealing with
today’s challenges, especially in a
global setting
• Understanding the importance of
communication to effective Information Security
• Look for low-cost ways to obtain security
information and resources
Today’s Goals

There is NO SuchThing as a FREE Lunch

• Information Security is a lifestyle, not an event
• It’s about managing – not eliminating – risk
• It’s all about People, Processes and Tools/Technology
• It must be intrinsic to operations, not bolted on
• Complexity is the enemy of good security
• It’s not easy, but it needs to look easy
• How you spend is more important
than How Much you spend
BasicTenets of Information Security

• Good information security must be made intrinsic
to business operations
• Security is a journey, not a destination
• Security is a moving target
• Security is the management
of threats, risks and mitigations
• Consistency is the best friend of good security
• Complexity is the worst enemy of good security
Security is a Lifestyle, not an Event

• The right people can overcome
deficiencies in your policies,
processes and technology
• The wrong people will likely
undermine even the very best
policies, processes and technology
• Trust is the most important characteristic in the people
supporting your security. Trust, but Verify
• Hire people because they align with your goals and
understand the technology – not because they are
good at catching bad guys
All About People

• They must be relevant to the risks of your
environment
• You need just enough processes to get the job done;
Documentation must be one of those processes
• They should be simple enough to explain and monitor,
yet robust enough for your needs
• They must be regularly evaluated
for suitability, effectiveness and
adherence
• Security has to be intrinsic to your
operations, and consistently applied
All About Processes & Procedures

• Make sure your tools only implement your security, not
define it
• Encryption, Encryption, Key Management & Encryption
• Less tools is better than more tools (CiTEoGS)
• Tool priority:
• Detection
• Prevention
• Monitoring
• Reporting
• Storage, storage, storage
All AboutTools &Technology

• Most security issues stem from configuration
problems or errors
• The more complex your configuration:
• the more likely you’ll have security-impacting errors
• the more likely you’ll have insecure components installed
• the longer it will take to notice a potential intruder
• the more money/time you will spend to support it
• Simplicity has many advantages, including
cost, training time and visibility.
Complexity is the enemy of good security

• Eliminating all risk is not only
costly – it’s impossible
• Determine what risks you can accept and
what risks you can transfer, reduce, or avoid –
then prioritize your resources accordingly
• Risk management begins with a valid
inventory of personnel, equipment and data
Risk management, not Risk elimination

• More money doesn't automatically mean
better security
• Spending in the wrong place is
worse than not spending at all.
• There are some things you can
build and some you can buy.
• You can spend on people or technology or
both
Relationship of Spending to Security

• Option 1:
Hire the brightest people and build everything
• Option 2:
Hire decent people, and buy
the right technology solutions
• Option 3:
Figure out how to divide your meager budget
between good enough people and good
enough technology solutions
Security Spending: Build vs Buy

• Ensure that everyone is subject to
the same minimum security level
• Security Awareness Training
• Treat Information Security as more than a
computer or technology issue
• Don’t take any abnormal computing activity
for granted
Cover the Basics – Policy & Procedures

• Patch Management
• End-point protection (Antivirus, Antimalware)
• Use password managers and strong
passwords
• Segregate your computing activity
(secure vs non-secure)
• Make time to review logs
Cover the Basics –Tactical & Operational

#1: Consolidate Your Tools
#2: Encourage a Culture of Security
#3: Keep Projects Small
#4: Use Native Features
#5: Access Security Communities
#6: Focus on Insurance vs Investment
Things to Do – Policy & Methodology

• Defense in Depth is still important, but don’t
have too many tools doing the same things
• Integrated security hardware is preferable to
completely separate hardware for each
function
#1: ConsolidateYourTools

• Reward employees that maintain high security
• Don’t limit security to technology related areas.
• Keeping desks clear
• Managing confidential documents
• Escorting visitors
• Not picking up stray thumb drives
• Keep workstations locked
• Don’t discuss sensitive information in open spaces
#2: Encourage a Culture of Security

• Regardless of staffing size, small discrete
projects are more successfully implemented
than massive, overarching projects
• Projects that take more than 2-3 weeks for
fully implement are likely to be partially
deployed or get postponed repeatedly
#3: Keep Projects Small

• As much as possible, take advantage of the
software that you’ve already paid for
• Advantages of using native software include:
• Compatibility with more hardware and software
• More controllable updates (generally)
• Broader support potential from vendors and staff
#4: Use Native Features

• There are a wide variety of
mailing lists, forums and social
media communities that focus
on current security information:
• http://seclists.org/
• http://secunia.com/community/advisories/
• http://myitforum.com/myitforumwp/community/groups/
• http://www.us-cert.gov/mailing-lists-and-feeds
• Different countries will have a CERT team as well
(Computer Emergency Response Team)
#5: Access Security Communities

• Don’t get hung up on trying to provide ROI for
security initiatives
• Information Security is an
insurance policy to keep the
business operational; it’s a
revenue protection mechanism
• True, there are investment aspects to
information security as well, but the focus
must be on preventing business ending events
#6: Focus on Insurance vs Investment

#1: Secure All Network Access
#2: Audit all Computing Activities
#3: Protect Data at Rest
#4: Secure Integration With Other Networks
#5: Effective Backup & Restore Options
#6: Security Education
Things to Do –Tactical

Avoid clear text protocols, especially when it
comes to administrative access
-- User access = HTTPS
-- Admin access = HTTPS / SSH
Support strong and flexible password policies
Support comprehensive role based usage and administration
Use certificates, not only to ensure secure transmission, but to
validate the clients side of the connection
SSL/TLS and SSH are some of the technologies that should be
employed for ensuring secure access
#1: Secure Access

It’s not just enough to have secure
access. It’s important that the
access be auditable.
Keep track of users and user activity
You need to be able to track who accessed what,
from where, and at what time.
Keep details of administrative activity and
provide robust reporting
#2: Audited Access

Encrypting data in motion is well accepted today.
Encrypting data at rest is still a little iffy today.
In the event that you are breached or suspect a
breach, the statements that you are able to
make about the encryption of the targeted data
will be greatly affected by their encryption status
#3: Data at Rest

Remember that your “perimeter” extends into all
other networks that you choose to connect to your
own.
This includes cloud computing
vendors, mobile providers,
outsourcers, business partners,
etc.
You must ensure that you do not undermine the
security of your application through insecure
integration with other platforms (i.e. mobile) or
other providers.
#4: Secure Integration with Others

Disaster Recovery and Business Continuity are often
considered when it is too late.
Good security is not just about
“protection,” but about availability
and data integrity.
Consider all the ways that your data could become
inaccessible, and make some allowance for the most
likely or most damaging scenarios.
And, test, test, test!
#5: Effective Backup & Restore Options

Security education need not be elaborate, and it
need not be costly
Security education just needs to be:
• Relevant to the current threats
• Relevant to the user roles
• Comprehensive (over time)
• Actionable
• Measurable
• Periodic
• Rewarding
• Personally Applicable
#6: Security Education & Awareness

#1: Security in the cloud is an extension of
security outside the cloud.
#2: Auditing and reporting are some of the
most important security needs that vendors
take the longest to address.
#3: The best security options in a cloud
service cannot overcome the worst security
practices by a customer (or provider). Tools are
just a means of facilitating process.
Considerations for the Cloud

#4: There are many legal components of cloud
security that are overlooked until very late in the
procurement process. Get your legal team involved
early.
#5: Your data is not automatically more safe on-
premise or less safe in the cloud (or vice versa). You
*might* have more control over your data on your
own premises, but without the processes, tools or
staffing to address issues, your data will be at risk.
#6: Regular risk assessments are needed to ensure
that the right level of security is being applied to
your data
Considerations for the Cloud (Continued)

• Keep things as simple as possible
• Start with clear policies and procedures
• Use native tools
• Use trusted open source tools
• Use “Community Edition” tools
• Hire the right people
• Regularly communicate with employees, management
and key partners
• Keep abreast of current risks
Summary of “DO”s

• Don’t lose control of your data
• If you use 3rd parties to host or manage your data, encrypt it
• Don’t unnecessarily expose or discuss
your security mechanisms in detail
• There is some security in obscurity
• Don’t ignore the security-trained resources that you
have access to
• Your staff is really trying to help you. If anything, educate them about how to
make decisions with limited data
• The security of your data is ultimately your problem
• Don’t expect to off-load 100% of the security concerns your organization faces
to your cloud vendors or other 3rd parties. Your practices are important too.
Summary of “DON’T”s

Contact Info:
Andrew S. Baker
www.BrainWaveCC.com
ABaker@BrainWaveCC.com
http://XeeMe.com/AndrewBaker
Question & AnswerTime

IT Security Management -- People, Procedures and Tools

More Related Content

What's hot

Viewers also liked

Similar to IT Security Management -- People, Procedures and Tools

IT Security Management -- People, Procedures and Tools

Editor's Notes