Following these four steps will help you shore up your systems.
I.T. departments are under pressure to cut their operating costs, but they're also being asked to improve and standardize information security. Because security doesn't come cheap or easy, technology managers need to chart a clear plan to effectively assess and strengthen security.
Companies once satisfied with distributed and heterogeneous security measures are implementing centralized security infrastructures. Drivers for this upswing include increased industry regulations, especially in health-care and financial services, terrorist threats, and a trend toward the centralization of IT resources in general, as organizations use the economic downturn to retrench IT infrastructures that spiraled out of control during the late '90s.
To ensure a sound security strategy, Doculabs recommends a phased approach, concentrating on four steps. First, assess existing investments and policies. Take an honest, high-level inventory of security-related systems and policies.
Second, perform a gap analysis. How quickly does incident reporting lead to a response? Could both operational efficiency and security be improved by changing a process or technology, such as a more effective identity-management system? If both can be improved at once, it may be easier to develop a concrete return on investment (more on that later). In this phase, it's important to delve into the technical details. It's also a good point to bring in outsiders to help in the planning process or even to attempt to break into systems and find vulnerabilities.
KNOW THY JARGON
Authentication: Verifies identity by a physical "key" (i.e., smart card), knowledge system (password), or biometric methods (thumbprint)
Confidentiality: Lets a message or file be viewed only by intended recipient, usually through encryption
Integrity: Alerts if data's modified en route, usually using digital signatures
Nonrepudiation: Proves a message was sent by the specified party--a digital receipt
Next, develop a security plan and implement changes. Based on the vulnerabilities and opportunities discovered in the first two steps, create an overarching security plan and a phased implementation schedule for necessary components. Not until the plan is assembled does it makes sense to start evaluating vendor systems required for implementation. Keep in mind that vendor product designs should not dictate the system design.
Finally, monitor and optimize the system. The work doesn't end once the new security plan and systems are in place. New security threats arise daily, so it's important to have someone on staff dedicated to ongoing threat-assessment monitoring. Additionally, security is often at odds with utility and performance--increase one and the other may decrease. As business requirements change, there may be a need to re-evaluate this balance.
Besides electronic security, there are other areas to consider, including physical security and operational training. Physical security is crucial. The principles of security-technology infrastructures become moot if an intruder can simply walk in and access critical systems. In a similar manner, if operational training isn't in place, a company is open to social engineering: Attackers pretend to be employees, convincing unwitting users to give them valuable information or access to systems. Formal policies around areas such as remote access help employees to recognize and report suspected social engineering.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.