[From iSource Business, February/March 2002] Since the terrorist attacks against the World Trade Center and the Pentagon, much has been said about security and the need to improve it. We wonder, however, if there has been any thought given to the possibility of improving cyber security? While the events of September 11 taught us that we are physically vulnerable in ways we had scarcely imagined, we have been, and continue to be, even more vulnerable in the critical areas of networks and computer systems. Many companies and government agencies continue to view spending for information security as an expense that needs to be controlled. In light of the attacks launched against the free world on September 11, it is astounding to think that management still does not understand the vital role that a solid enterprise security architecture (ESA) can play in contributing to the bottom line.
In today's budget-driven business environment, a belief on the part of senior management that there is no threat to their networks is actually the single greatest threat to the security of a company's sensitive information and computing resources. Without commitment on the part of senior management, the adequate resources, funding and security tools that are necessary to protect vital company networks will not be made available and in the event of a cyber war the company will surely loose. Senior management must begin looking at security as an investment in a company's future, not just another expense. Once this attitude is changed, companies will be able to build an effective ESA.
Yet, one of the main problems with addressing security today is the multitude of security suppliers selling products, all of them professing to address enterprise security problems.
In addition to the hype, those that have seriously looked at the problem know that its complexity makes finding a solution, at times, overwhelming, and it causes them to ask, Where should I begin? The answer is simple: Evaluate your existing infrastructure compared to that of the ESA model and develop a security strategy that addresses the key elements of the existing infrastructure and ESA.
So what are the key elements of a good security strategy, and what does building an ESA entail? While it is clear that not all information requires the same level of protection, a good security strategy begins with the identification of what it is that you want to protect. Therefore, create a system of classification that identifies critical and sensitive information, networks and systems that process or possess the data that, either by their sensitivity or importance to the company, requires protection. For example, in the financial world, we generally ask whether or not the owner of the information would want it printed in the Wall Street Journal on Monday morning. Also consider the new government regulations that require extra measures of protection to ensure the privacy of customer data.
Once you know what you need to protect, you must develop a security strategy that outlines how to protect it. First, it is essential that the security architects do their work with some business goals in mind. Here are some of the goals that we have at OppenheimerFunds:
Companies must engage in sound business and security practices that afford critical and sensitive information adequate protection, resulting in an acceptable level of risk against loss, improper use, compromise, or unauthorized alteration or modification.
Protection programs must be flexible and capable of addressing all information protection needs in the ever-changing business and technical environment.
Protection programs must be focused on actual threats. Strategies must be developed that are based on sound business practices.
Protection programs must ensure the confidentiality and integrity of critical systems and sensitive information, while ensuring its availability to those who need it to perform their assigned duties and tasks.
It is critical to remember we do not do security for the sake of security - we do it for the sake of the business. Therefore, it is essential to have both good business and good security practices in place. Security is fundamentally a business decision, not a technical decision. The solutions are technical, of course, but the needs of the business must be the driving force behind security decisions. Far too often, security decisions that are technically based address only one specific area and leave more critical areas exposed. An effective ESA will look at the whole organization and take the needs of the business into account.
At OppenheimerFunds, our approach to an ESA involves six distinct areas. The first is Organization. In many companies there is no one person that has been given the responsibility for security, and consequently, the job often falls on the shoulders of the chief information officer (CIO) or the CEO. This is a serious misappropriation of resources, because it puts the primary responsibility for security too deep in the organization. If the person responsible for security is also tasked with ensuring that the servers are up 99.9 percent of the time, which area do you think will receive more focus? It is imperative that the executive who oversees security can afford it the proper attention and focused resources.
One of the more neglected areas in security is that of Documentation, which is the second area that we approach. The lack of proper documentation can have a very negative impact on your company's ability to control access, respond to incidents and ensure that your information assets are properly protected. An effective policy statement, coupled with general and targeted standards, will go a long way toward making certain that an effective ESA is in place. Executive-level backing demonstrated by CIO and/or CEO signatures on policies and standards will guarantee compliance at all levels of the company.
After documentation is in place that governs how your employees and contract personnel are to conduct themselves, you will need to inform them of their responsibilities. This is done through an effective security Education Program, which is the third area of approach. Security awareness training should be included in all new employee orientation programs. In addition, a short presentation should be made available for all management to include in their annual staff meetings. A good education program can turn every employee of a company into a security person, greatly increasing the reach of the security group.
Network Protection, the fourth area, is where most companies spend all their financial and personnel resources. While this is an important focus area, you must not neglect the other areas, lest your company be exposed to unwanted disclosure or misappropriation of data. At OppenheimerFunds, we like to view the network protection strategy as a series of three circles or layers. The layers exist to answer three questions. If each layer can effectively answer its particular question, you have a properly functioning network protection strategy in place. The network layers are:
· The Gateway Layer - This layer answers the question, Can I come in? In short, every user that contacts your network must be identified and be able to authenticate to the network who they are. This includes using a number of different methods, tools and techniques, such as user ID and password, PKI, token and biometrics. Some organizations use one or more of these methods, and the one you choose will depend on how important the question is to your company. The gateway layer also contains some tools to ensure that no one can enter your network without first receiving the challenge to identify themselves, such as firewalls, VPN's, intrusion detection systems and other methods and systems.
· The Control Layer - Just because someone has been allowed to come into your company's network does not also mean they can go wherever they want, so this layer answers, Where can I go? Along with identifying users, it is important that we understand the role those users play in the organization and restrict their movement accordingly. For example, you would not want an accountant to have full access to your research and development (R&D) systems. Conversely, a R&D engineer should not have access to the accounting systems.
· The Data Layer - This layer is closely tied to the idea of limiting access based on an individual's role. It answers the question, What can I do? Once a user has been authenticated and it has been determined where they can go in the network, you must decide what you will allow them to do when they get there.
Not everyone who logs into the accounting system is permitted to read or update all the data because, again, the role that a person has will usually determine the level of access they can have.
As you build out the elements of your ESA, you will begin to uncover events that you may have previously overlooked. Some of these events may become serious enough that you consider them security incidents. If you do not have a pre-planned and lucid Incident
Response procedure in place, which is the fifth area of an ESA approach, you will find yourself either ignoring things you should not or chasing shadows that can never be caught.
An effective Incident Response procedure should include such things as categorizing what constitutes an incident as opposed to what could be classified as a normal event, establishing who has the authority to declare an incident and what the escalation path should be. Although these steps seem basic, if you fail to answer them ahead of time you will find yourself frustrated and unable to respond in the heat of battle. A major issue that should be worked out in advance is at what point you should include law enforcement, and who will be given the authority to contact them. Understand that once law enforcement is contacted, the management of the incident is taken out of your hands and placed into theirs. You also cannot control the public release of information about the incident at that point. (For example, court records are open to the public, unless sealed by a judge.) Think through a number of scenarios and build your incident response procedure accordingly.
Piece It Together
When you have addressed everything you can in all of the five areas above, it is time to look at the way it all ties together. Security Management, the final area of approach, does not necessarily deal with who manages security but how it is managed. In many companies, the functions that we detailed above may actually fall under the control of a number of different departments. It is essential that everyone understand the role they play and that someone keeps track of how it all fits together.
The real key is that information security is not the deployment of a couple of pieces of hardware or software; the best model to follow to ensure that nothing is missed is the one laid out in this article. The development and implementation of your company's ESA is something that should not be put off due to expense. Information security should be considered as an investment in the future of your company, not an expense. At OppenheimerFunds, the one thing we have learned, as of late, is that we are all in this together. The recent attacks show that those that do not aggressively protect their systems become part of the problem. By implementing an effective ESA, your company can become part of the solution.
Garry Kolb, assistant vice president of data security at OppenheimerFunds and David M. Hager, vice president of network security and disaster recovery at OppenheimerFunds, have over 55 years of combined experience in the business of information security.