The advance in technology during the 21st century has brought with it advances in threats to information. Information security cannot be addressed on its own within any organisation, as the organisation then just obtains a one-dimensional view of the business.
Similarly, threats to information and the mitigation thereof must be seen in the light of the business strategy and goals, as well as the risk-appetite of the organisation.
The traditional focus on information security has been point solutions like AV and firewalls that have been (incorrectly) touted as being the solution for all problems. Sadly that view is somewhat skewed. Organisations can no longer afford to take a one-dimensional view to information security.
Information, to coin a clich'e, is the most important asset in any organisation. Very few people would argue that assertion. The problem, however, is that all organisations do not understand this asset or have the capacity or appetite to deal with it.
This is for a number of reasons, most notably the costs, the hype around information security, the threat of legislative and regulatory sanction and most importantly, the ignorance of businesses in respect of the scope of the required activity to secure information.
Selling the concept of security pre-1990 was easy - fear. That drove security spend, albeit it the physical arena. Selling the concept of security in the information arena became easier post 9/11. Whispered conversations of DRP, backups were held all around the world as most security providers scrambled to get a piece of this "fear" pie.
The cost? The reputation and integrity of security professionals the world over. New versions of malicious code saw an increase in the sale of AV, the fear of hacking attacks saw a rise in sales of firewalls and the new abbreviations IPS/IDS. All of these solutions were useful but tended to address issues in a singular, one-dimensional way.
What is required to adequately address the security needs of companies the world over? What are those common issues which need to be addressed to give CEOs a good night's rest? What are the issues that will not only address security but also the related compliance? The answer is quite simple: a holistic approach to security, and in this case information security.
How does a company go about addressing the information threat holistically, obviously based on the clich'e of information being the most important asset? The answer is a question: how do you eat a 50-ton elephant? Piece by piece!
The very basis of being able to address your information security risks is to conduct a system-wide risk assessment, something that is explicitly stated in ISO27001 and implied in the King 2, the PFMA and the Companies Act. The rationale is simple - know your assets and what threaten them and you can then devise cost-effective countermeasures to mitigate that risk.
Let us look at the risk of data being corrupted or lost due to malicious code. The traditional approach would be to slap down a reputable AV package to "solve the problem". The better approach would be to determine whether a policy exists for network configuration, updates and patches, then to implement an AV strategy that includes a policy on updates, etc.
This approach goes to the cause of the problem and not the symptoms. I do not claim to know very much about malicious code as an example, but I do know malicious code often exploits a known vulnerability in either the OS or related software or services. So the cure would be to remove the known vulnerability before putting AV down, be this in the people, process or technology sphere.
This approach of addressing the cause of information security risks and not the symptoms will mitigate many information security issues.
I have rambled on about AV and information security risks, but what am I actually saying? To address (as an example) AV, without addressing the policy or process issue makes no sense. You need to look at the entire problem and discover the root cause.
A holistic approach to information security involves assessing how and when you lose information, including but not limited to:
* Via electronic mail
* Via removable media
* Printed and removed
* Data corruption
* Deletion of information (maliciously or incidentally)
* Hackers
* Malicious code hidden in electronic mail messages
Taking this into account, add the disappearing network boundary and remote access or telecommuting and the whole "information security" problem takes on a new dimension.
Is there a solution? The simple answer is yes. The complicated answer is also yes, but with of effort and commitment.
Condyn recommends that all business, regardless of size, must implement the following strategy in order to ensure a level of information security:
* Conduct a system-wide risk assessment on policies, procedures and technologies and develop countermeasures. Train people to follow defined processes that are securely enabled by technology.
* Secure the company's end points
* Secure the company perimeter
* Secure the company's remote access facilities
* Secure the mobile communication infrastructure
* Secure the electronic mail infrastructure
* Filter all electronic mail messages
* Filter all electronic mail content
* Ensure a management and reporting function
The next instalment will cover this holistic approach in more detail.
Share
Condyn (www.condyn.net) has been focused on delivering and supporting best of breed security solutions within the African market, for over 10 years, and has a long, well-established, proven relationship with both partners and customers.
At the beginning of 2006 it announced the 'Condyn Security Framework', an integrated security suite of products aimed at providing comprehensive defence for the demanding needs of organisations, both large and small.
This framework, delivered as scalable modules through high quality partners, includes solutions to protect companies from all inbound and outbound messaging threats, secure digital assets and comply with regulatory compliance - forensically archiving all data, control Web access, deliver secure mobile e-mail to most handsets and devices, encrypt and 'lock down' all end points, servers and files, as well as enable vulnerability testing and asset management, powerful monitoring and management reporting, policy flexibility and workflow, delivered as Software and 'black box' appliances, through partners, as managed services.