Security management deals with how system integrity is maintained amid man-made threats and risks, intentional or unintentional. Intentional man-made threats include espionage, hacks, and computer viruses. Unintentional threats include those due to accidents or user ignorance of the effects of their actions. Security management ranges from identification of risks to determination of security measures and controls, detection of violations, and analysis of security violations. I'll describe the steps involved in security management and discuss factors critical to the success of security management.
Step 1: Determine and evaluate IT assets
Three types of assets must be identified.
- Computer hardware and software resources
- Building facilities
- Resources used to house sensitive assets or process sensitive information
The information category includes sensitive data pertaining to the company's operations, plans, and strategies. Examples are marketing and sales plans, detailed financial data, trade secrets, personnel information, IT infrastructure data, user profiles and passwords, sensitive office correspondence, and minutes of meetings. Recently, concern has also risen about protecting company logos and materials posted on the public Internet.
The people category includes vital individuals holding key roles, whose incapacity or absence will affect the business.
After you identify company assets, the next step is to determine their security level. Depending on the company's requirements, assets may be classified into two or more levels of security. I recommend two levels for organizations with minimal security threats: public and confidential. A three-level security classification scheme can be implemented if security needs are greater: public, confidential, and restricted.
Be wary of having too many security levels; this tends to dilute their importance in the eyes of the user. A large multinational IT vendor used to have five levels of security: public, internal use only, confidential, confidential restricted, and registered confidential. Today, it has cut down to three: public, internal use only, and confidential. Employees were confused about the differences among the secured levels and the procedures associated with each one. Having too many security levels proved expensive in terms of employee education, security facilities, and office practices—the costs were often greater than the potential losses from a security violation.
Step 2: Analyze risk
Every effective security management system reflects a careful evaluation of how much security is needed. Too little security means the system can easily be compromised intentionally or unintentionally. Too much security can make the system hard to use or degrade its performance unacceptably. Security is inversely proportional to utility—if you want the system to be 100 percent secure, don't let anybody use it. There will always be risks to systems, but often these risks are accepted if they make the system more powerful or easier to use.
Acceptance of risk is central to good security management. You'll never have enough resources to secure assets 100 percent; in fact, this is virtually impossible even with unlimited resources. Therefore, identify all risks to the system, then choose which risks to accept and which to address via security measures. Here are a few reasons some risks are acceptable:
- The threat is minimal.
- The possibility of compromise is unlikely.
- The value of the asset is low.
- The cost to secure the asset is greater than the value of the asset.
- The threat will soon go away.
- Security violations can easily be detected and immediately corrected.
After you've identified the risks, the next step is to determine the effect to the business if the asset is lost or compromised. By doing this, you get a good idea of how many resources should be assigned to protecting the asset. One user workstation almost certainly deserves fewer resources than the company's servers.
The risks you choose to accept should be documented and signed by all parties, not only to protect the IT organization, but also to make everybody aware that unsecured company assets do exist.
Step 3: Define security practices
Define in detail the following key areas of security management:
Step 4: Implement security practices
- Asset classification practices: Guidelines for specifying security levels as discussed above
- Risk assessment and acceptance: As above
- Asset ownership: Assignment of roles for handling sensitive assets
- Asset handling responsibilities: The tasks and procedures to be followed by the entities handling the asset, as identified above
- Policies regarding mishandling of security assets
- How security violations are reported and responded to
- Security awareness practices: Education programs and labeling of assets
- Security audits: Unannounced checks of security measures put in place to find out whether they are functioning
At this phase, implement the security measures defined in the preceding step. You can do this in stages to make it easier for everybody to adapt to the new working environment. Expect many problems at the start, especially with respect to user resistance to their security tasks, such as using passwords. Staged implementation can be performed:
Step 5: Monitor for violations and take corresponding actions
- By department, starting with the most sensitive assets. The natural first choice would be the IT department.
- By business function or activity, starting with those that depend on (or create) the most sensitive assets. You might begin with all business planning activities, followed by marketing, human resources, etc.
- By location, especially if prioritized sensitive assets are mostly physical. This approach is easiest to implement. However, its effectiveness is doubtful for information assets residing in networked computer systems. You might start with the IT data center, then gradually widen the secured area to encompass the entire business facility.
- By people, starting with key members of the organization.
An effective security management discipline depends on adequate compliance monitoring. Violations of security practices, whether intentional or unintentional, become more frequent and serious if not detected and acted on. A computer hacker who gets away with the first system penetration will return repeatedly if he knows no one can detect his activities. Users who get away with leaving confidential documents on their desks will get into bad habits if not corrected quickly.
You'll perform two major activities here: detecting security violations and responding to them. With respect to sensitive assets, it is important to know:
- Who has the right to handle the assets (user names).
- How to authenticate those asset users (password, IDs, etc.).
- Who has tried to gain access to them.
- How to restrict access to allowed activities.
- Who has tried to perform actions beyond those that are allowed.
Document the response to security violations, and follow up immediately after a violation is detected. The IT organization should have a computer emergency response team to deal with security violations. Members of this team should have access to senior management so that severe situations can easily be escalated.
Responses can be built into your security tools or facilities to ensure that the response to a violation is immediate. For example, a password-checking utility may be designed to lock out a user name immediately after three invalid password entries. Alarms can be installed around the data center facility so that if any window or door is forced open, security guards or police are immediately notified.
A critical part of this activity is the generation of reports for management that discuss significant security violations and trends of minor incidences. The objective is to spot potential major security violations before they cause serious damage.
Step 6: Reevaluate IT assets and risks
Security management is a discipline that never rests. Major changes that would require a reassessment of the security management practice include:
- Security violations are rampant.
- Organizational structure or composition changes.
- Business environment changes.
- Technology changes.
- Budget allocation decreases.
As information technology continues to grow in scope and importance, the value of managing the security of mission-critical computer systems running an organization's most sensitive processes and functions cannot be overstated. With security one of their highest priorities, executives are searching for effective techniques to deliver maximum security while simplifying security management. With a well-defined security management process in place, your IT organization will realize numerous benefits—reduce the number and effect of security incidents, reduce problem resolution time, and improve staff productivity.
TechRepublic originally published this article on 8 November 2003.