People, Processes, and Technology: The Three Pillars of Successful Security Strategy
By Ajit Singh
When people think about IT security, they typically think about things like firewalls, anti-virus software, password encryption and so on. While such aspects of data security are obviously important, technology alone has limited scope in protecting sensitive data from cyber-attacks or data leaks. In order to implement an effective security strategy, the People, Processes and Technology triad is a great place to start.
The first pillar is perhaps the most important. According to a report by Symantec, “human errors and system problems account for 64 percent of data breaches.” And it’s not just the non-technical staff members that are responsible for such breaches. According to Computerweekly.com, system administrators present the biggest risk to corporate data. Staff members who are employed by contractors must also be closely examined.
For example, just last week it was discovered that a private company employed by the NHS misplaced half a million confidential records over a period of 5 years. Additionally, there have been a number of cases where administrators have gone “rogue” and decided to sell credit card details to criminals or confidential company information to competitors. As you can see, it’s crucially important that you don’t overlook the damage that can be caused by incompetent or potentially malicious staff members.
The first step in protecting your organization from “people” is to ensure that you have implemented a comprehensive training plan, which should accomplish the following:
- Explain the laws and regulations associated with data protection, and the penalties involved, should they fail to comply.
- Ensure that administrators understand the importance of security auditing, and are familiar with the tools that allow them to manage permissions, monitor and report system events.
- Ensure that staff members clearly understand the organization’s security policy.
- Explain any important terminology associated with cyber-security.
- Ensure that staff members are aware of the security implications of using external contractors.
- Ensure that staff members are aware of the security implications of BYOD (Bring Your Own Device).
- Train staff members to be vigilant in identifying and reporting any suspicious behavior associated with other staff members.
- Educate staff members about the best practices for managing a data security breach.
- Cover the basic principles of cryptography, including authentication, authorization and password protection.
- Educated staff members about the dangers of malware and ransomware and ensure that they know how to quickly identify potential attacks.
To help you understand what a security process actually is, we will need to examine the industry standard methods for defining a security process. The Information Security Management System (ISMS) is a set of policies and procedures designed to help an organization manage their sensitive data, and is complimented by two additional specifications.
The first specification is the ISO 27001, which, according to the documentation, was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
The ISO 27001 specification outlines a planning process which consists of six parts:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
The second specification; ISO 27002, defines a set of “information security control objectives”, which includes 12 main sections:
- Risk assessment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
There are a number of other ISO specifications under development which focus on things like implementation guidance, improving the effectiveness of the ISMS, risk management, certification and auditing guidelines. Additionally, there other standards such as COBIT 5 and ITIL.
This is where things get a bit more complicated. There are a large number of terms and technologies that you need to be aware of in order to effectively secure your system. These include:
POS malware, browser vulnerabilities, BYOD, lost or stolen devices, phishing attacks, data backups, desktop security and viruses, firewalls, VPN’s and secure remote access, secure wireless connections, network and server configurations, IP address management (IPAM), security patches and updates, UPS, disabling unused services, SNMP configurations, VLANs, unassigned ports, routing protocols, spam filters and scanners, SSID, encryption and authentication.
Wow! That’s already an extensive list, and it only the start. Since providing an explanation about each of these terms and technologies is beyond the scope of this document, I would like to instead focus on the often overlooked, yet crucially important area of IT security that is auditing!
I cannot overstate the importance of having a sophisticated, specialized suite of auditing tools at your disposal. It is imperative that you know exactly who has access to what data, when your data is accessed, and where your data resides. In order to ensure that you are compliant with the many laws and regulations surrounding data security, you must be able to provide a detailed set of reports that will assure the regulatory bodies that you are in control of your data.
About the Author: Ajit Singh is a Marketing Manager for IT auditing, security and compliance vendor, Lepide.
Latest posts by Jeff Edwards (see all)
- Security Startup Smyte Seals $4M in Series A - March 29, 2017
- Building a Security Operations Center - March 27, 2017
- Proposed Bill Would Increase Boardroom Accountability for Cybersecurity - March 23, 2017