Bookmark and Share

Practical Security Management: Getting Back to Basics

Practical Security Management is not about getting back to basics – it’s about Security 101. Many attacks and breaches that are reported in the Verizon Data Breach Investigations and Ponemon reports are preventable simply by doing the basics, such as configuring servers, patching, applying software updates and putting AV on the endpoint devices. Although new and improved security technologies are making their way to market, if you are not doing the basis, you are losing the game.

Patching is a key component of risk management. Organizations should have an established patching program that is specific to the risks within the company and which addresses:

  • Technologies: In addition to Microsoft, which has returned to releasing patches once a month, other critical business technologies, such as Adobe and Cisco, need to be accounted for.
  • Type of patch: Is it a critical or non-critical patch? How will the patch affect the company, its technology and business processes?
  • Frequency: How frequently should patches be applied?  Is the company PCI regulated or subject to other industry regulations that would mandate a specific timeframe to apply critical patches?
  • Order: In what order should patches be applied?

Software updates, generally a business responsibility of IT, are still a security concern because software upgrades frequently address security issues. Security executives need to weigh in on the importance of being on the latest version of software. Issues to consider include:

  • What security functionality does the upgrade provide?
  • How does this affect the ability to comply with standards?
  • Has the software been customized, making the upgrade difficult?
  • What are the risks and cost-benefit of upgrading versus not upgrading?

Organizations should not only have an established security incident response plan, they should be living and breathing it every day. The plan should be updated based on what is happening within the organization on a daily basis. Should a large incident occur, the plan should be updated with lessons learned. By continually improving the plan and tying it back to the business security executives can demonstrate the value the security program.

Security awareness training for end users continues to be key. In addition to providing the users with a way to learn, the program should include a component that allows them to apply their knowledge and act on what they learned, such as a security awareness mailbox to report on what they see.