By Evan Francen, CEO FRSecure
Article 3: Basic Security Starts Here
This is the third and final installment in our three-part series titled “Security – Back to the Basics”. The purpose of the series was to take you from a state of confusion about information security (article #1 “You’re Not Alone, We’re All Confused”) to an understanding of information security basics (article #2 “Information Security Basics”). This third article (“Basic Security Starts Here”) wraps the series up with some practical advice about what to do next.
Step 1: Risk Assessment
An effective information security program and the decisions you make must be based on risk. You may recall (from our second installment in this series) that our definition of risk is the likelihood of something bad happening and the impact if it did.
There are entire books written about conducting risk assessments. We don’t have the time to cover the details of conducting a risk assessment, but we can give you characteristics of a good risk assessment:
- Comprehensive – The assessment should consider many* of the administrative, physical, and technical controls, vulnerabilities (actually a lack of control), threats, and assets that are in-scope for your program.
- Measurable – You should be able to quantify (based on some criteria) how changes to your security program (internally and externally) will affect risk.
- Direction – A good risk assessment should provide direction to what things you should do next.
*The word “many” is used because you really can’t be sure that you’ve considered all of them. As you get better at conducting assessments, you’ll get better at identifying controls, vulnerabilities, threats, and assets.
Your risk assessment should give you a good starting point (or reference) from which to drive future efforts. It also helps to obtain management acceptance (budget, attention, etc.) for your security program.
Step 2: Asset Management
Assuming that your risk assessment doesn’t take you in a different direction, the next area of focus is asset management. In many cases, your risk assessment brings you here anyway.
Why asset management? Two big reasons:
- You can’t secure what you don’t know you have.
- You should emphasize controls on your most critical (or valuable) assets.
When we (FRSecure) inquire about asset management during our assessments, we start with a question like; “Do you have an asset inventory”? Almost everyone answers yes. When most people think of “asset inventory”, they think of hardware assets. When we ask this question, what we’re really inquiring about are hardware, software, and data assets. Data assets are arguably the most valuable assets in organizations, and most organizations have no idea how much data they have, where it is, or where it goes.
Build an asset management program that:
- Starts with policy.
- Encompasses data (or Information), software, and hardware assets.
- Accounts for the entire asset lifecycle from creation/acquisition all the way through to destruction/disposal.
- Is centralized.
- Is automated as much as is feasible. This will likely require investment in technology.
- Is reconciled regularly or constantly.
- Accounts for asset value, if possible.
- Is tied into (or able to be tied into) other processes such as data classification, change control, access control, data retention, disaster recovery, etc.
Asset management is a foundational and core component to establishing a solid information security program. If you don’t have good asset management, don’t expect good information security.
Step 3: Change Control
Once you have your head (and processes) around asset management, the next step is controlling assets. Initially (if this is a new endeavor), focus on controlling changes to the systems (physical systems, operating systems, and applications).
A good working definition of change control is:
“The procedures to ensure that all changes are controlled, including the submission, recording, analysis, decision making, and approval of the change.”
The definition comes from a good article on the subject written by Edward Stickel on the Technology Executives Club website.
Step 4: Access Control
Closely related to change control is access control. Access control encompasses identification, authentication, and authorization of who should have access to assets and what type of access they should possess.
Just like everything in information security, access control starts with policy and must account for:
- The entire lifecycle of the entity’s (typically, but not limited to people) presence in the environment.
- Physical and logical access.
The lifecycle includes provisioning access, auditing access, changing access, and revoking access to assets.
For more information about the basics of access control, see “Fundamentals of Information Systems Security/Access Control Systems”.
We have the opportunity to talk with information security professionals every single day in our work. We all need to be reminded of the basics. It’s easy to lose sight of foundational security concepts in the constant bombardment of new products, advanced threats, and sensational exploits.
In this series we covered some of the confusion in our industry, covered information security basic concepts, and gave guidance for where you should start. The course you take in laying out your own information security strategy may differ slightly; depending on any number of factors.
The one piece advice, regardless of your path to better security, is don’t lose track of the basics.
FRSecure is an expert-level information security management and consulting company. We specialize in developing and implementing methodologies to fix our broken industry. FRSecure’s flagship offering is the FRSecure Information Security Assessment (FISA™) and FISA Score™.