Major Milestones of Building a Security Framework for any Enterprise is Risk Assessment, Risk Analysis, Risk Treatment and Compliance. The initial baseline assessment is an abbreviated version of a more full-blown “Risk or security assessment/analysis.” The assessment is only as good as the honesty and knowledge of the people who answer the questions and the experience and knowledge of the persons interpreting the answers. For example, just because an Organization has policies, does not mean that the policies are being followed or even enforced. It is still necessary to assess at a more detailed level by testing a policy to see if people are in compliance with it.
After the report is complete, an Organization must deal with the number one issue to a successful security program: Management commitment .Each organization will find the level of Management commitment very different. It may be easy to get the needed buy-in because of an incident causing financial loss, or it may be difficult because Management does not understand all the risks, as the baseline report points out. Presenting them in a Business context will help management understand. In either case, be prepared by understanding management’s business expectations and use the sample questions as indicated in Annexure 1 to educate management to the security concerns. Until security matters as much to management as the bottom line the users will not make security policies, guidelines and procedures a priority. As the security program grows, it will be equally important to have management’s buy-in throughout all levels of the organization – from executives to line managers.
Annexure 1: Baseline assessment of company security status.
- Are company policies defined to address business use of company resources, covering such things as explicit and appropriate e-mail privacy or Internet usage policy? Are they enforced consistently, if at all?
- Are the company’s operating systems up-to-date with the most current security patches to prevent exposure to known hacking vulnerabilities? Do you know which vulnerabilities can be exploited to access your system?
- Is your company able to detect a computer crime, and can you gather evidence that can prove to the court, media, or stockholders how the crime was perpetrated and who committed the crime?
- Does your company allow remote access from home or wireless? Are employees working only from the corporate office? What methods do employees use to access the network? Have they created any methods you are not aware of, such as remote control or modems on a desktop?
- What is sent across the company network? Do the transmissions include vital or confidential information?
- Is there a definition of “incident”? Has an incident response plan been created to handle critical incidents? Does management want to have ability to criminally prosecute on incidents, making it necessary for evidence to stand up in the legal system?
- Are all users authenticated and authorized to use the company network?
- Are all of the entry points into the company known and documented? Does that include the ones that exist because of technology, such as modems, personal Internet connections, extranet connectivity, and any others?
Security will be cast in the same light as insurance. Security, like insurance minimizes what one has at risk. A company spends money to have security, because it is not willing to accept the risk associated with all of the vulnerabilities that put the business at risk. Security does not increase business profitability unless a company can show that its security provides an advantage over its competition. For most companies, security does not generate revenue. It is a cost of doing business. Security will be viewed as an expense, but must be seen as necessary cost of doing business. With the huge dependency today on data, it is no longer an issue of whether a company can afford to provide security measures, but whether the company can afford not to.
Next step is budget to back the efforts of the security program, which includes appropriate salaries to hire security professionals or the necessary security consultants who can assist in continuing management education, technology evaluation, procuring tools, forming policies & procedures and can help to complete the building of the security infrastructure. The budget should be provided for a team that will coordinate & implement a successful Security project. The team will build the corporate security framework or plan and present it to management for continued commitment and potential additional budget needs. A security awareness program begins to take shape at this point, simply to keep management informed of security architecture and funding needs. This communication could be formal or informal. Making it more formal will make the process of keeping management informed, consistent and timely. The security awareness program is key milestone for building a robust Security Framework & is required throughout the security programs lifecycle, regardless of whether the process is made formal or not. The security awareness program may find it necessary to illustrate examples to management of recent incidents and legislation or regulations to help understand the importance and justify continued budgetary and administrative support for security.
The plan should include prioritization of activities to build the perfect security Programme. Depending on the organization, it may be necessary to use formal assessment to help prioritize actions, build support (management commitment using the security awareness program), or to identify additions or changes to the framework.
Enterprise wide risk assessments can be very labor intensive. It is very important to set expectations and a goal for the assessment. This can be difficult, especially if no other assessments have ever been done. However it is extremely essential to strike a balance between Risk Assessment and business need for Risk treatment / mitigation. It may so happen that Management may like to accept some of the risks considering its impact on their Business. There is a common saying in Security Parlance “How much is too much?”
Assessments come in many forms: from the formal enterprise wide assessment that covers the entire corporation and its processing environment to smaller targeted assessments of selected platforms. For example, penetration tests or vulnerability scans can be performed against the company’s external access points to find exposures to unauthorized entry. Another example might be an analysis of host operating systems to determine their status and whether they are missing security patches or are improperly configured.
A formal corporate risk assessment could arguably be identified as the Number one requirement to build a security program. How can a company identify what needs to be done, where the framework is incomplete, what to prioritize, what is missing from policy, essentially what to tell management, without one? It is true that each element in the infrastructure and the risks that pertain to them will affect other elements, and each risk will in turn affect how the complete framework should be managed. However, many companies do not have the luxury of time, money, or commitment to get into an enterprise wide risk assessment. Smaller targeted assessments with a specific goal in mind can be pursued first to get a security process off the ground.
Smaller, less formal assessments can identify gaps in basic security components such as application development, servers, or the network. The simple assessment can help identify basic best practices that are missing but, as a matter of due diligence, should be followed. This gives the plan a place to start without needing the more complex formal or enterprise wide assessment first. In such a situation, the more formal complete enterprise wide risk assessment can be prioritized for a later date.