Practical Security Management: Getting Back to Basics
There’s an old saying that: “If a process doesn’t work on the white board, you can never really automate it.” Nowhere is this more true than in information security. Automating a bad process just enables one to do bad things quicker.
At the core of every form of protection is a good solid process, and that goes back to the basics. By understanding the environment, conducting a risk assessment and applying the right controls based on the environment and the risk, organizations can automate systemic controls that will allow them to operate more efficiently and avoid human failure.
Ways to get back to basics include:
- Passwords. Ten years ago the password was predicted to go away; yet good, strong passwords are a basic form of protection today.
- Basic User Awareness. A good, strong awareness program is crucial, but it must be more than an initial or annual security awareness test. Ways to emphasize the importance of information security and keeping passwords and the environment secure include newsletters, games and awareness weeks.
- Solid IT Controls. The ISACA Controls Manual from 10 years ago would still be effective today because of the fundamental IT controls and solid processes.
- Change Control. Managing changes in a test environment is important to the integrity of the IT organization.
- Patch Management. Hackers are not exploiting new things, they are exploiting bad patch processes. Without a good solid patch process, organizations are open to being hacked.
- Layered Security. Implement a combination of controls to keep the environment safe rather than relying on any one control.
- Data Classification. Implement a classification system to understand the nature of the data being protected, and match the security to the classification.
- Anti-virus. Bad IT controls allow a virus to affect a system. While thought to be outdated, anti-virus continues to be important.
|