Security's Everyman

Security's Everyman

Friday, April 11, 2008

Information Security According to Me

I love technology. There isn't much that is more exciting than to get a new "toy" to play with and use to make your job easier and hopefully more secure. I think it's pretty cool how a piece of software can alert you to threats to your system, prevent you from doing things that you shouldn't do and keep your system from doing things without your knowledge. I really like the concept of having some devices on the network that can watch the traffic flowing through the network and make assumptions and/or decisions based upon rules, algorithms, and other things over my head and either drop, divert or allow the traffic to continue. Often these things can shut down ports (logical and physical), pass ACL's to devices and do other things to stop worms, virus' and other bad things in their tracks.

The problem with technology is that it often gets misconfigured, deployed improperly, or just isn't the right fit for what you are trying to do. Even if non of this happens it can still be left to it's own and cause problems. It has to be monitored, updated, tweaked and cared for on a regular basis. Not only that but in the case of shutting down ports and pushing ACL's automatically I would hope that you don't really want or allow that to happen on your network. Talk about taking a risk. Technology is cool and it is necessary but it has to be used in the right way for your situation. You can't let the vendors drive your strategy. Use them to learn about your options but what ever you do DON'T let them sell you what they want to sell you. Take your time, review your options, look at the pros and cons of each solution and find the one that fits your need and one that will fit in with your strategy and plans for the future.

As much as I like technology I still feel that it falls far short of the mark of keeping us secure. It goes much deeper than that. It requires a good solid framework that includes policy, process, procedures, guidelines, user awareness training, security training for IT staff. I like the new buzz acronym of GRC. Governance, Risk and Compliance. I think that it does a pretty good job of summing up what a solid program consists of. If a company doesn't allow for IT Governance to play a part in the way it does business then they are missing out on opportunities to make the best technology and policy decisions. These decisions are partly based upon the risk that is involved in doing various activities to enhance business. They are based upon the framework that is (or should be) in place for how technology is used to enable business. They take into consideration the goals and objectives of the company, the projects the the LOB's have, the way the IT infrastructure is designed, and making best use of what is already in place.

GRC is not perfect but when implemented correctly and supported from the top down it will make things run smoother and allow for business to function in a manner that balances security, productivity, usability and makes best use of company resources.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.