Wednesday, December 19, 2007

Top ten Information Security issues to tackle now


Dan Morrill (Security Project Manager) Posted 11

/26/2007
Comments (2) | Trackbacks (0)


Top 10 lists generally help summarize things that people should be doing, or put in context issues and ideas that are going into a nicely bulletized set of things that a company can be doing to beef up their information security program or projects.

Unfortunately, with changes in the ways that companies are being managed, via Software, Hardware, Web 2.0, wikis, blogs, and other ways that businesses are adopting to the changing user landscape that business needs to adjust to. Balancing the legitimate needs of regulation such as SOX and HIPAA against business requirements means that the information security department needs to be flexible in addressing legitimate business and legal needs.

Get an Evangelist - find a diplomat that will help liaison between Business, Legal and IT. The only job this person should do is helping bridge the gaps between the three groups for understanding, ability, concepts, and language. This person is the most important person that can be hired today to help the company work with the ramifications of business decisions, legal requirements, and IT's ability to execute.

Train IT - one of the top 7 reasons that a project fails in IT is because the IT department is not trained to deal with the new technology. If you can't train, hire for particular skills for new projects. If the company is developing an internal wiki, hire a wiki guru. If your employees blog, hire a person to oversee the effort and help new internal bloggers. Have someone who understands the setup, running, and maintenance of the blogging systems or wiki systems.

Decide on a minimum set of qualifications for a position - consistency in Job Descriptions is important, if social skills are mandatory for a position, make sure that those expectations are well described in the Job Description. If they are nice to have that is one thing, but if they are mandatory, then the behavioral expectations should be discussed on interview, with a clean approved way of determining the right personality type for the job.

Take a risk - all IT is risky to some point or another, determine what is and what is not acceptable risk when it comes to an IT project, develop a risk matrix, and use it.

Determine what skills are needed 2 years and 5 years down the road - while it is generally hard to predict where the company is going, there should be a group of IT folks that track and trend new technology and new business ideas. Develop a group that will help set out a minimum skill set for people who are coming in to the company years down the road. Have them work with Training, the Executive Staff, and Business staff to work out a suitable long range plan and have it approved by the senior executives. Using Gartner's magic quadrant can help work out where technology is going, and what skills will be needed. Then train or hire accordingly.

Start Google hacking your company - do this on the same schedule you would do for any other form of audit. Add to that blogs, wikis, and other sources of data that go beyond the traditional Google hack. Odds are most likely initially you will be very surprised at what you will find out about your company.

Develop a defense in depth program for the company - insiders, outsiders, and general policy avoidance have lead to some of the biggest hacks of 2007. Start a plan, make it happen, fund it within reason; use the risk management table to help determine what the greatest threats to the company are. Listen to your IT department; they know where the bodies are buried. If they have nothing to add, or your security department has no idea what to start with, time to reevaluate the security department and their effectiveness.

Reevaluate everything - risks, trends, and times change, how old is the backup plan, the risk management plan, do they reflect where the company is, and where they are going? Or do the plans exist as a snapshot of the company two years ago.

Learn Web 2.0 and Web 3.0 - the massive changes brought about by social bookmarking, social networks, blogs, wikis, and other data points have altered the nature of information security. It has fundamentally altered how people and companies need to address security issues. While the attack vectors might be the same, the data in them, the way that people are socially engineered, and how they talk about where they work has altered. This change is permanent; there is no way to go back, start planning on data security around these kinds of technologies now.

Teach your users - the internet is not a fun happy safe place in which to work, play and shop. It is a cesspool, but one that we need to do our jobs now. Teach users to be defensive, just like you teach defensive driving, self protection, and due care. Users are still the weakest link in any security program, time to take them in hand and work out easy digestible brown bag lunches to talk about all the things that are happening now.

If a company can do all these things, and work out the processes so that the company can be proactive, they might actually stand a chance in staying on top of things. Some of these positions need to be hired for, and need to be diplomats, technicians and evangelists to make some of these changes happen. Others in this list just require that companies stay on top of the shifting changes in technology, policy and people issues. All of this needs to be managed against acceptable risk as the company sees it. Starting fresh in 2008 might make 2008 a safer year for everyone.

No comments: