download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
organizations the tools they need to rapidly<br />
develop and implement information security<br />
policies. The vast set of resources includes<br />
templates for <strong>24</strong> important requirements. The<br />
site also offers those new to policy development<br />
a way to get a head start on such initiatives,<br />
while also providing specific direction on<br />
<strong>issue</strong>s related to legal requirements, such as<br />
the HIPAA guidelines.<br />
In exchange for leveraging these tools, SANS<br />
asks that organizations actively take part in<br />
updating and improving the templates, as it<br />
aims to consider the resource page a continual<br />
work in-progress. In particular, companies<br />
are encouraged to share their own policies if<br />
they reflect a different need than the program<br />
provides, t<strong>here</strong>by expanding the benefits of<br />
the resource center.<br />
Only after a general goals framework is established<br />
can CIOs and their security teams audit<br />
their systems for conformity, and determine<br />
what changes are needed. Often times organizations<br />
will conduct one before reviewing<br />
their security policies, in typical “cart-beforethe-horse”<br />
fashion. Though the largest expense<br />
at this point is time, the hard dollar savings<br />
that come from be starting with a review<br />
of policies is significant.<br />
Most CIOs donʼt have a full accounting of all the equipment<br />
and intangibles they own and operate.<br />
Perform a security audit<br />
The natural tendency is to believe that the<br />
only way to conduct one effectively is to hire<br />
an outside consulting team and break the<br />
bank in the process. That need not be the<br />
case. It does, however, require full commitment<br />
from IT staff and the creation of a systematic<br />
process to make this happen in the<br />
most efficient manner possible. At a minimum,<br />
include these steps:<br />
• Know what you should know. Begin by<br />
identifying all the assets within the IT department,<br />
categorizing them by system and purpose.<br />
As strange as this may sound, most<br />
CIOs donʼt have a full accounting of all the<br />
equipment and intangibles they own and operate.<br />
The biggest reasons for this is because<br />
some devices, software, files and other systems<br />
are shared with other departments. As a<br />
general audit rule, stay within the realm of assets<br />
that are owned by the IT department or<br />
required to effective maintain the companyʼs<br />
network security.<br />
• Prioritize the assets. After a thorough list is<br />
compiled, the next step is to figure out which<br />
ones pose the biggest risk. This can be based<br />
on a factor of the probability of being attacked<br />
and the level of harm that can come of it. One<br />
word of caution – donʼt simply ignore the legacy<br />
systems when making the list. Just be-<br />
cause theyʼve got a specific tasks or is the<br />
oldest device in the department doesnʼt mean<br />
that itʼs not tied to a mission critical business<br />
task.<br />
• List known threats. Brainstorm how each<br />
system and device are in<strong>here</strong>ntly threatened<br />
from internal and external sources. These will<br />
include things such as how complex employee<br />
passwords are as well as how many folks<br />
have access to sensitive or private company<br />
data, the presence and configuration of spam<br />
filters, anti-virus program and such. Keep in<br />
mind, too, that certain features and functions<br />
embedded in newer systems are not in some<br />
of the legacy ones. Threats of old may still<br />
need to be identified and respected.<br />
• Look at trends. Keeping up to date on the<br />
latest IT publications to read about the past<br />
and potential future security trends gives a<br />
good foundation for determining the “unknown”<br />
and then figuring out the steps necessary<br />
to counter that threat. Other good resources<br />
include industry associations and<br />
peers.<br />
T<strong>here</strong> are also free, detailed checklists available<br />
for <strong>download</strong> from a host of credible<br />
sources, including:<br />
• <strong>Help</strong> <strong>Net</strong> <strong>Security</strong> - bit.ly/8wsQc7<br />
• University of Massachusetts - bit.ly/8h7KKe<br />
www.insecuremag.com 46