Monday 4 June 2007

Cheap yet Effective Information Security

Many Information Security study books will tell you about the holy Security Trinity of Confidentially, Integrity and Availability, the so called CIA Triad, which is all fair and well. But I live by another holy Security Trinity, Policies, Users and Technology.

The most important area is, and will always be, with User Security Awareness. However, you cannot sort the Users out until you have your Information Security Policies in order, so your first stop has to be tackling the policy paper work first, and then to ensure you get that all important senior management backing.

Clearly Technology plays a very important role within the trinity, but unlike Policies and User awareness, technology has by far the highest the budget costs. You will always have to fork out for the basic security systems like firewalls, swipe card systems, Anti Virus systems and the rest of it. However depending on your business and some of the risk mitigation, a lot of the expensive “additional” security technologies out there, may not be a necessity if you have the right security policies and the user awareness in place. Within most businesses I find the security technology basics are usually all in place, but badly managed and maintained, which points to fixing the Policies and the Users. You can splash out on all the latest security technology in the world, but if you have not got your system administrators and user base on board with security awareness, then it’s just going to be a waste of money.

Take the technology of NAC for example, great for controlling who is allowed to plug into your network, however if don’t have the budget and the risk acceptance requirements, for example a small office site, creating a policy to provide cover on who is allowed and not allowed (visitors) to plug into the network, and then educating the users so the policy is enforced, can be just as effective as investing and deploying NAC technology. I would go on to argue by educating the users and putting the security responsiblity on them, rather than relying blindly on NAC technology, helps instil greater security awareness with the users. It’s all horses for courses, within larger enterprise environments, you cannot make do without a lot of additional security technology to manage security and risk, however you will still find security educating the administrators (the Users) is key. The classic I see is when administrators have weakened the expensive security technology, just to make life easier, again due to poor user security awareness.

The most important aspect with User Security Awareness programmes is to ensure it is not just a one off event, but a sustained programme. I often say to users, Information is the business’s key asset, it is not my responsibility to secure the information, but to help you (the user) secure the information, thereby giving information security responsibility to the user. It’s key to get users on your side and not hostile against you or the security policies. Users must have “bought in” into any security policies you have or introduce, otherwise they won’t be worth the paper they are written on. I use several techniques to achieve user security awareness, one I find particularly effective, is when I teach users how to be secure at home, I find they bring their home security responsibility and awareness into the work place. Perhaps I will go through some of my other effective user security awareness techniques in another blog post.

To sum up, by tackling your Security Policies and User Security Awareness, you can make a lot of quick wins and security improvements without any capital cost. Technology plays just as vital role too, but don’t just rely on technology to remedy your security risks, have an approach which covers all three areas of Policies, Users and Technology, and make sure you review all three areas regularly.

You can find some good Security Awareness documentation at US Homeland Security - http://www.ussecurityawareness.org/highres/security-awareness.html

No comments: