10 Steps Toward Comprehensive Security

One of the largest impediments to implementing an effective security solution has to do with an organization's attitude and awareness about security risks. First, enterprises often cannot see the rationale to justify adequate investments because they cannot measure the costs of failing to do so. Second, as security is treated as a technical issue alone, too many organizations believe that security concerns only the IT department.



Third, the absence of a security view of changing technology paradigms results in dangerous technology adoptions that create larger security holes. For instance, wireless technologies today are lacking in their ability to conform to end-to end security standards. Fourth, organizations may underestimate the human contribution to security breaches. Elements such as operator error and ignorance are sometimes overlooked, increasing potential risks.

However, the biggest technical challenge of all involves managing the varied security levels of new technologies. We propose ten steps to be considered--technical, organizational and operational--when formulating a comprehensive security strategy from an organizational perspective.

Step 1: Budget Adequately

The size of the budget should be defined by taking into account the security track record of the technologies being adopted; the criticality of restoring important business processes in the unlikely event of a breach; the size of the deployment characterized by the spread of operations, considering the geographic and sociopolitical aspects of the risks; and the costs of maintaining enterprise-wide vigilance.

We believe that enterprises should consider investing a percentage of their total IT budget for security risk mitigation, to keep a check on the indiscriminate adoption of technologies as well as to provide for risks arising from it. Organizations should also run a parallel security assessment program whenever an increase in IT investments is recommended. This could be executed by either an internal or an outsourced specialist team tasked with assessing the impact of the new technologies on the organization's security levels.

Step 2: Define Adequacy Levels for Security

Security threats include unauthorized access to databases and applications, theft of intellectual property, software/hardware holes or viruses, or even operator error. Security software and hardware can only be as effective as the way they are used in a security framework. An information security strategy therefore needs to address three challenges:

  • Defining the adequacy of a security system for a given enterprise
  • Implementing control parameters to determine the potency or likelihood of a threat
  • Applying measures to maintain the defined level of adequacy on a 24x7 basis

This involves a static phase of assessment, design and implementation followed by a dynamic phase of several monitoring and auditing cycles. This would also mean that an organization might need to seek expert help from outside to manage specific phases of the security orchestration. Information security demands constant attention, periodic customization, education and oversight as well as a set of procedures, monitoring capability and a response plan.

Step 3: Separate Out Risks, Vulnerabilities and Threats

Placing sensitive information or processes on static and mobile systems brings about risks. These may involve loss, alteration or inappropriate disclosure of information or the processes that generate the information--events that could harm the firm's reputation, invite legal or regulatory action, or at least cost money and resources.

Even the technologies and procedures that manage sensitive information and processes possess vulnerabilities. A tight security strategy requires understanding the degree of risks, vulnerabilities and threats and taking appropriate steps to mitigate them.

Step 4: Articulate the Human Element

Security breaches can result from the mishandling of information, so security issues must assume top-level consciousness in the organization percolating down to the last employee. Apart from implementing policies, a way to ensure this can be with constant reminders and education.

We think of security as akin to quality. Large organizations must approach setting up a security department much the way quality departments were built over the years. This department should garner support from business units through part ownership of the organization's security orchestration. However, senior management must own the security agenda.

Step 5: Treat Enterprise Information as the Basic Entity You Are Protecting

The security net should encompass the process of information generation, transmission and consumption. Articulating a microscopic view of enterprise information as an entity to be protected is an overwhelming task. But when security strategists embrace an "information view" of their enterprise, they are better able to appreciate the nuances of protecting diverse data assets. Information such as customer data, strategic plans, competitor matrices, transactional data and billing data are often the targets of malicious attacks.

Step 6: Don't Forget Your Customers

Enterprises must not forget to protect customers whose data resides on their servers. The onus of protecting consumer information rests with the organization hosting such information. In this context, data privacy issues are closely related to security issues. Therefore, privacy policies will also become an essential ingredient of a well-tailored enterprise security strategy.

Step 7: Plan for Disasters

Information assets have to be available to managers in the event of a crisis, such as the one on September 11. Traditionally, disaster recovery and business continuation form a small part of the IT department function for most organizations, often working in isolation and with slow-paced agendas. These two functions should assume critical security roles in the IT organization as part of a larger orchestration of the risk management process.

Step 8: Choose the Right Set of Products and Policies

Appropriate security technologies and tight policies lie at the extreme ends of a prescriptive approach to a thorough enterprise security strategy. The inability to deploy either in the right measure fails to adequately address the security problem.

The right solution is a middle path that consists of an appropriate set of security products and policies backed by activities to enforce, monitor and report intrusions on a 24x7 basis. The criteria on which these choices are based should depend on the degree of external-facing applications, the nature and size of the operation, and external dependencies.

Step 9: Identify What You Can Do Best and Leave the Rest to Others

Security implementations are adequate combinations of static and dynamic exercises, and organizations cannot always hire, retrain or invest in their own human resources, owing to the expensive nature of expertise and experience required in diverse areas of the security landscape. Enterprises need to know where to employ what and must draw a line to separate how much they can do internally and what should be outsourced.

Step 10: Develop an Outsourcing Strategy

Different levels of expertise are required to conceptualize an enterprise-specific security framework. Enterprises may need help performing a physical security audit of assets, conducting an electronic security audit, setting up a security policy, etc. They may also require security implementation consulting and security architecture design or planning services.

To develop an appropriate outsourcing strategy, organizations need to know how much to outsource. This decision requires an understanding of optimal tactical needs, such as monitoring services, as well as the roles that strategic elements, such as policies, play in a secured network.

Today there are a number of services companies--in particular those with full life-cycle service capabilities--that meet the ongoing needs of enterprises. Post-deployment, enterprises can safely employ security service providers for outsourced monitoring and management of security devices and systems. Additionally, some service providers offer services ranging from penetration tests, strategy assessment and strategy development to ongoing monitoring and management services, which prescribe a holistic approach to security threats.

© October 2001 Infosys. All rights reserved.

About the Author

George Eby Mathew is a principal analyst for the Software Engineering & Technology Labs at Infosys Technologies Ltd., based in Bangalore, India. He is responsible for analytical research on the impact of technology on businesses. Mathew has a bachelor of technology degree in electrical and electronics engineering. He can be reached at george_mathew@infy.com.

More by George Eby Mathew

About Infosys Technologies

Infosys Technologies Ltd. (NASDAQ: INFY) provides consulting and IT services to clients globally as partners to conceptualize and realize technology driven business transformation initiatives. With over 25,000 employees worldwide, we use a low-risk Global Delivery Model (GDM) to accelerate schedules with a high degree of time and cost predictability.

We provide solutions for a dynamic environment where business and technology strategies converge. Our approach focuses on new ways of business combining IT innovation and adoption while also leveraging an organization's current IT assets. We work with large global corporations and new generation technology companies - to build new products or services and to implement prudent business and technology strategies in today's dynamic digital environment.