Developing a Security Program

Network infrastructure Have you ever heard the statement, “Networks evolve”? Ask any System Administrator whether they think this statement has merit and most will agree. The company grows, and one server turns into two which turns into ten; or, one location turns into five, and before you know it, your network has evolved into its own entity.

As this entity grows, the administrator’s time is consumed, causing some priorities to take a back seat. One area I have seen take a hit is security. As threats change, having a solid security program is important to helping identify and react to these threats, and when your bandwidth is stretched, it is easy to let security slip to the back burner. However, security is much too important to any organization to not keep it a priority.

Business Needs and Risks

When developing a security program, there are some initial critical facts you must identify.
Company’s position on security – You need to find out the business’s stance on security. As a security professional, it is your responsibility to inform the decision-makers on the risks and the cost/benefits related to bolstering the company’s security vs. doing nothing. At the end of the day, security is ultimately a business decision. The acceptable level of risk tolerance must be defined by the company’s decision-makers.

Company’s ‘crown jewels’ – Identifying the company’s most valued assets and what it is willing to spend to protect those assets is critical. For example, a sales organization would place a high value on customer contacts whereas a medical device manufacturer may place inventions or R&D projects at the core of what must be protected. I’ve noticed the answer to this question may vary depending who you ask in the company. For example, a VP of Finance may place accounting data at the top of the list while the Director of Operations may identify people as the number one asset. It is your job to encourage those people to talk together and decide what is most important to the organization as a whole. Once you know what keeps your decision-makers up at night, you will have a starting point to know where to focus your efforts when planning and designing your security program.

Risk assessment – A good way to identify a company’s priorities is to do an assessment. This will help define the top high risk issues in your environment. Furthermore, it will allow you to take bite-sized chunks out of a potentially overwhelming situation. It’s a lot easier to remediate the top twenty issues and feel like you are making headway as opposed to trying to tackle all of your security woes at once. Finally, a risk assessment will give the stakeholders a view into the state of the security on the network.

The end result of this step should help identify the company’s security goals and define a project list for your security fixes. In other words, you should have a blueprint to assist you in designing a secure network and business sponsorship to address the top priority issues.

Compliance requirements – Compliance is yet another business driver when developing your security program and will shape many of your business and design decisions for you. Depending on what regulatory compliance your company falls under, your security design will vary. It is important to work with your compliance team to thoroughly understand your obligations before defining your security program. If you are regulated by some type of compliance, don’t stop securing once you have met compliance. In many cases, compliance is a baseline or a minimum of what the company requires. Meeting the requirements doesn’t automatically make you secure. Use common sense, consider the data you are protecting and consult your decision-makers to reach the best decision for the organization.

Policies

Once you’ve gathered your initial facts, it’s time to sharpen the pencil and develop your security policies.
Create your team – Define a security policy team to write the policies. Members of this team may include the Security Administrator, IT Staff, Management, HR, Legal/Compliance and representation from employee users. These stakeholders help the company create and endorse the direction of security. If you don’t have legal counsel available on staff, you should have your company’s legal advisors review your policies before rollout.

Develop a flexible framework – When writing your security policy, consider creating a framework that will allow for flexibility. A modular approach, in other words, splitting one large policy into smaller policies, will allow you flexibility as business needs change. Below is a list of some key policies that are essential to a good security policy:

  • Acceptable Use Policy
  • Privacy Policy
  • Remote Access Policy
  • Network Maintenance Policy
  • Incident Handling Policy
  • Monitoring Policy and more!

Whether you utilize a third party vendor to help you build your security program or develop the program in house with existing staff, there are many resources on the web related to policy development.

Plan Completion & Rollout

Communicate policies to your users – Once you have completed your security policy, you now need to educate and inform your users. You should have your users sign a consent/acknowledgement form, recognizing that they have read, understand and agree to abide by the policies. If your company should experience a security breach as the result of a user, you then have a policy in place to take performance action as needed.

Review! – Just because you create your policy doesn’t mean that you can now forget about it! Reviewing the policy is necessary especially as the company grows and experiences change. An effective security program is cyclical in nature and will require a re-assessment both annually and as incidences happen. Always reserve the right to change policy if your current policy does not effectively meet your company’s business needs. You should also note that changes made to any of the policies should be proactively communicated to your users.

Enforcement – Policy enforcement is a very critical piece of the plan. Why invest the money and time in developing a program if you have no intention of following through with it? Again, remember what your decision-makers identified as the company’s ‘crown jewels.’

You can enforce policies any number of ways. For example, in your Acceptable Use Policy, you can state that the users are not permitted to access adult websites or other inappropriate sites. How you enforce this part of the policy could be done both automatically and/or manually:

  • You can achieve enforcement by using web filter tools to create compliance.
  • You could conduct a manual solution of random checks of local machines.

Your method of enforcement will vary based on your budget & available staff/resources. The point, though, is to enforce your policy consistently. Policy development is important for the security professional because it gives him/her a baseline or something to measure against. A policy also helps develop and shape the company’s security design considerations. Now that your policy has been defined, you have a good blueprint and starting point on where you need to go from a design perspective!