# Seven habits of highly secure companies



## Skie (Mar 15, 2003)

I received this through the ISN (Information Security Newsletter) mailing list.
----

http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=56003

By Sheldon Gordon 
6/30/2004

Companies, like the humans who make them run, are creatures of habit. 
Some of those habits can make information systems more secure, rather
than less. There's no such thing as absolute security, of course. But
the seven best practices of highly secure companies are a standard
against which CEOs can measure their organizations.

"If you can't afford the security, you can't afford the project," says
Rosaleen Citron, CEO of Toronto-based security firm WhiteHat Inc.,
citing a well-known axiom in the information security industry. On the
other hand, "most businesses, big or small, can't afford to defend
everything," says Mary Kirwan, an independent security expert in
Toronto. Indeed, they would impede their productive business activity
if they tried.

An effective approach to information security involves making choices. 
Companies must compromise, deciding what are the most important assets
that need to be protected and then deploying a proportionate level of
security around them.


1. Assess and audit

Have a risk assessment and a regular security audit performed by an
outside pair of eyes. The risk assessment creates an inventory of
assets and undertakes a detailed threat assessment. It assigns ratings
to threats, and proposes a list of counter-measures. The security
audit is designed to show whether those measures have been adequately
implemented. How "regular" a security audit should be depends on the
business and how much information is being exchanged with customers
and suppliers.

"We're seeing most companies have an audit three or four times a year
if they have a lot of online interactions with their clients," says
Victor Keong, a partner with Deloitte & Touche LLP in Toronto. Also,
have a consultant rather than the internal I.T. staff perform the
audits. "An independent set of eyes is necessary to probe and to test
what was done inside," says Mary Kirwan, an independent security
expert in Toronto. "It's a conflict issue. Think of the security audit
as you would a financial audit."


2. Update your security software

Make sure your firewalls and anti-virus systems are up to date. 
Enterprises need to ensure that firewalls on the underlying operating
systems are secure and that "edge-protection devices" such as
anti-virus software, intrusion detection boxes and upstream routers
from the ISP are up to date.

"Ninety per cent of companies have these devices in place," says
Keong, "so why are they still vulnerable to viruses? It's because of
remote users. Their anti-virus signatures are not updated like those
in the office environment." Personal firewalls must be installed on
laptops and other remote computers. Keong also recommends event
correlation software that will enable the IT department, when logging
security-related events, to better discern when a genuine attack is
occurring and then take action.


3. Put policy into place

Have an IT policy that is written and enforceable and covers all the
critical systems as well as employees of the enterprise. "The baseline
of any security architecture has got to be policy," says Ray Gazaway,
vice-president of professional security services, Internet Security
Systems Inc. (ISS) in Atlanta.

From a legal perspective, the policy should prohibit pornography,
conversing with competitors and circulating sexist, racist or
defamatory e-mails. Beyond the strictly legal implications, however,
the policy should incorporate a digital disaster recovery plan. It
should address the basic issue of whom to call in the event of an
emergency. The enterprise's IT department should be an integral part
of writing the policy relating to IT issues, says Gazaway, "but it
should be the HR group that really owns the policy.

It should make sure that employees sign off that they've read it,
understand it, and are aware of the consequences of violations."


4. Backup plan

Have a disaster recovery plan. Denial-of-service attacks have
sensitized enterprises to the danger of being knocked offline. "If
your livelihood is coming off e-commerce, you had better have that
[Web site] backed up, just as you do your data," says Citron. "Back it
up at least once a week so that you've always got the latest version."

But digital disaster doesn't only take the form of deliberate attacks
on IT assets, she cautions. The disaster recovery plan has to
anticipate unintentional disruptions such as last August's power
failure and the SARS crisis. "I've seen data centres burn down, and we
go to the hot site, and away we go," says Citron. "But we'd never seen
a situation where companies had to sequester work groups. Companies
immediately had to layer security onto notebooks that hadn't been used
before but now were needed to enable people to work from home."


5. Train and authenticate

Minimize the internal threat by properly training and authenticating
employees. Enterprises should have not only a policy but also an
awareness program informing employees not to open e-mail attachments
from unknown sources and not to bring in disks from home. In addition,
firms need to have rigorous authentication and access policies.

"We're still seeing a lot of very poor password procedures in place," 
says Gazaway. Companies should make employees change their passwords
at least monthly -- and explain why.

Role-based access to systems is another important safeguard. "There
needs to be a concerted effort in a corporation to say, 'This employee
is only working in this particular role and should only have access to
this particular group.' It's amazing how often we see new employees
come to a corporation and get access to everything. There's no reason
for a person working in a mailroom to have access to financial records
or HR records. It's a question of who needs to have access and why. 
And that needs to be reviewed on a regular basis."


6. Encrypt your data

The use of encryption technology has become widespread in enterprises
for e-commerce transactions and wireless communications, but not for
stored data.

"Encryption of the data at rest is just as important as encryption of
the data in transit," says Mark Fabro, chief security scientist with
AMS Information Security Services Group in Fairfax, Va.

Not only has stored data become more susceptible to exposure due to
open networking requirements, says Fabro. In addition, stored data
tends to be in an aggregated format that, when considered together
with other data, can have a much more harmful impact if compromised
than data in transit.

"The overall asset value of what is being encrypted will dictate the
level of encryption that needs to be deployed to secure the data," 
says Fabro.

"If the information is valuable for one week and it would take a
dedicated attacker only half a week to decrypt it, then that
encryption is not the right one to use."


7. Report to the CEO

Appoint a chief information security officer (CISO) to be responsible
for IT security. Ideally, the CISO shouldn't report directly to the
chief information officer. A tangential relationship is necessary
because the CISO's recommendations will be implemented through the
activities of the CIO.

"The direct reporting should be to the CEO, because it is the CISO who
is ultimately going to be responsible for the crafting of information
security policies," says Fabro. "And those policies will only be
effective if they have top-level buy-in. It is not the CIO who is
going to be pressing adherence to an information security policy. It
is going to be the highest representation of the company." That should
not be the board of directors, however, because employees may not
fully grasp the importance of boards, Fabro says.


----------

