Print Page      Email Page
< Back to Article List

So Now You're Faced with Managing Security? Here's What to Expect...
By: Laura Taylor
May 2, 2001

You've just accepted a position to manage the security of a reputable eBusiness. Now you're wondering what you've gotten yourself into and where to begin.

Your first task will be to do some data gathering. You'll need to find out what types of security policies, processes, and procedures currently exist at your new company (if any). If your new company has a medium to large sized network, with remote sites, and a multiple-tiered management organization, expect the data-gathering phase to last at least a month. You'll want to set up one-on-one interviews with each member of your staff, as well as each of your management team peers.

During these interviews, aside from finding out what security resources currently exist, find out what the history of information security has been at the company. Have their been security breaches in the past? If so, what was the prior reconciliation process and the final outcome? Was law enforcement involved? Were any employees terminated? Were lawsuits initiated? Systems that have been compromised before, will most likely be areas carefully watched by your management peers. It will be important to make sure prior security compromises do not get repeated.

Important questions to ask everyone you interview will be:

  • What security disasters are waiting to occur?
  • What does your company do well as far as security goes?
  • Who are the key employees that currently have the best understanding of the current security posture of your company?
  • Who are the security advocates inside your organization? (You need the security advocates on your team, and it will be important to keep these folks informed of your findings and future recommendations.)
  • Who are the security naysayers? Many organizations have factions of security naysayers who find every reason in the book not to implement security. (These folks will need special attention if you don't want them to undermine your recommendations.)

Be sure to communicate to your supervisor that it will take you at least one month, to understand the current corporate security status of your organization before you will be able to move forward with future recommendations. Managing your supervisor's, and your corporation's, expectations in regards to security will be key to your success.

After you have a good understanding of the available resources, and the current expectations of your fellow management team, it will be important to understand the immediate security liabilities. Where is your company currently vulnerable? You'll want to categorize each vulnerability according to the potential impact it could have on your organization, such as:

  • High risk
  • Moderate risk
  • Low risk

In categorizing risk levels, some of the things you'll want to consider are your contractual agreements with your customers, your currently stated privacy notice, and the existence of any life threatening, or financially susceptible transactions. When your transactions affect patient health, or financial accounts, the expectations for errors and liabilities are less acceptable.

Typically, the kinds of applications that mandate at least some level of security inspection are:

  • Messaging
  • Corporate General Ledger
  • Human Resource Files
  • Customer databases

The network hardware devices that require security inspection are all the hardware platforms that these applications exist on, as well as the corporate routers, gateways, firewalls, VPNs, and authentication systems. If there are no firewalls, VPNs, or authentication systems, chances are your job is going to be even more challenging -- you will need to identify whether there is a need to develop and implement these specialized security systems.

What you want to do is put together an information Security IT agenda, and ultimately an overall security project plan. In identifying vulnerabilities, it is wise to have an outside auditing firm perform an objective online security penetration test. An online penetration test will be one of the items you will want to put at the top of your Security IT Agenda.

When shopping around for a security penetration testing service, be sure to ask them how many types of vulnerabilities they are able to test for. Any consulting service that does not test for at least 500 vulnerabilities should probably not be considered. Today, most penetration testing services that truly know what they are doing test for approximately 600-1000 types of online vulnerabilities. Make sure that the penetration service will include as part of their service, the hand-off of a Vulnerability Assessment Report. The report should assign risk levels to all vulnerabilities reported, and include recommendations on how each one is typically fixed. Have your own staff fix as many of the vulnerabilities as possible, and consider hiring an outside consultant to resolve the vulnerabilities that your team is not able to resolve themselves.

One critical area of security that is probably most ignored by security managers is the review of documented processes and procedures. Auditing processes and procedures can only be performed through human analysis. None of the shortcomings of security checks in processes and procedures will be picked up by an online penetration test. The reason that the review of security processes and procedures is important is because it is sound processes and procedures that will help maintain on-going security moving forward. A penetration test is simply a snap-shot of your security posture at a moment in time.

Processes and procedures that typically need review are processes for changing passwords on mission critical systems, ACL changes on the routers, firewall rule-set changes, procedures for configuration of secure remote access accounts, secure remote access user instructions, and general overall change-management procedures.

If you pay attention to each of these areas, you will greatly increase your potential success for improving the security of your organization. Maintaining security is an on-going process, and just when you think you have your network locked down and secure, there will be some new area of concern that will require your attention.

DHTML Menu By Milonic JavaScript