IT Security Requirements for the New Decade
Published: April 14, 2010
Author: Harry Waldron - Microsoft MVP, Enterprise Security
Technology innovations will accelerate in the coming decade. These new business solutions will usher in improved flexibility and productivity. Often, strong protective controls for new automated solutions are an afterthought. IT security departments must remain an active protective partner in the organization, exercising continuous improvement.
Information must be protected from unauthorized access, accidental disclosure, and malicious attacks. Information exists in many new places beyond the IT perimeter, including notebooks and mobile devices. Security cannot be accomplished using a set-and-forget approach. Users have greater automation today and they play a vital role in security.
Accurate and well-protected information is essential for business survival. The reputation of a business is damaged when security breaches and privacy invasions occur. IT security teams must protect corporate information and educate business professionals. They must take an active interest in all security exposures, beyond their primary role of account management to be effective.
Best practices for the new decade ahead include:
- Continuous Risk Assessment
Companies must update their security foundation annually. Technology and software change rapidly, and the security plan must adapt for new exposures. For example, are there guidelines for mobile phones where executives could store highly sensitive information? Are best security practices being used for Windows 7 standards? Are security concerns being addressed for cloud computing, wireless access, and remote workers? Just as Walter Deming introduced continuous improvement for Japan in the 1960's, IT security must do the same.
- Current Corporate Policies
Policies, procedures, and standards must stay updated as technology changes. They should be easy to understand and available on the Intranet as a point of quick reference. Essential elements of the corporate policy must be included in a banner message, so that the user acknowledges them each time they sign on. These controls help protect a company's interests in governing responsible business use by employees.
- Design Secure Workflows
Protective controls must be designed into all automated and manual business processes. When security is designed into IT systems and workflows, users will better know their roles in protecting confidential information. It's always best to invite security to the project's takeoff, rather than the crash landing.
- Technological Defenses
The security perimeter must be actively guarded with multiple layers of protection. There are daily challenges in blocking malware, spam, unauthorized access, and dangerous web content. Patch management, hardening client access settings, and using the most Trustworthy-Computing-compliant products help provide protection in this cat-and-mouse game with malicious individuals.
- Active Security Awareness
Some companies neglect user security education by controlling risks transparently through technological defenses. Conversely, some firms place too much emphasis on education and users tune out during attempts to reach them. A more balanced approach uses relevant, easy-to-understand, and brief campaigns to reach business professionals. It should include interesting insight and examples they can pass on to others and better protect home environment as well.
- Active Treat Monitoring
Emerging developments must be actively followed. IT security professionals must actively read security blogs and newsletters to track the latest attacks. When innovative attacks bypass technical defenses, IT security can still mitigate these threats. This might include a brief all employees bulletin, so that users avoid a malicious attack that has just breached the security perimeter.
- Network Vulnerability Assessment (NVA)
Security defenses cannot be considered effective until they are evaluated. An NVA can provide an analytical assessment of every control point on the network, e.g. routers, clients, servers, ports, networks and people. An internal PENTEST can discover vulnerabilities in the corporate defense system. A specialty firm can conduct a more comprehensive PENTEST on an annual basis. New computing approaches must be considered, as data on an executive's mobile phone may be even more sensitive than what a hacker may discover after breaking into the network. Security is only as strong as the weakest link and defensive weak points could allow attackers an entry point.
- Promoting Security
Many IT security professionals have outstanding technological capabilities. However, they may lack skills in convincing others of the need to change. Often security awareness is done in a negative limelight with "thou shalt not" themes. Reworking security concepts into a positive tone can improve user compliancy and buy-in by management.
As technology advances, new security requirements will challenge existing defense systems. When access to information improves, so does the potential for it to land into the wrong hands. Users have more extensive capabilities than ever to derive business information and they have a vital protective role within the organization. IT security challenges are greater than ever for the coming decade ahead.