Information security is the collection of procedures, technologies, and physical systems designed to safeguard the information considered vital to the survival of an organization. When designed correctly, information security is a process that adds value to an organization. Information security is not a firewall. It is not a box. It is not any single element. It is a process. Think of information security as you would consider quality assurance in a manufacturing environment. It could lower the costs of doing business, and improve the effectiveness of the organization.
The Information Security Lifecycle
Information security implementation is a cyclical process that involves constant review, testing, and revision, as depicted in the image to the right. The cycle has five distinct phases:
- Risk/threat assessment: In this phase, critical corporate information is identified and located, and the various risks and threats to that information are identified and assessed.
- Security policy: The security policy provides an overall vision for the information security plan. During the development of this policy, we also create a comprehensive plan for information security that will include the security standards and security procedures (see below).
- Implementation: The next phase is to implement the information security plan. This involves deploying technology and systems and training personnel.
- Enforcement: The information security plan must then be enforced, to ensure that all aspects of the plan are being maintained.
- Testing and review: The information security implementation must also be tested to ensure it does what it was planned to do, and must be periodically reviewed to ensure that changes in the corporation of information context have not rendered some aspects of the plan obsolete or required the introduction of new procedures, technologies, or systems.
Information Security Documentation
The keep to effective information security is appropriate planning. Without a solid plan, information security tends to be ad hoc at best. There are three documents that are critical: the information security policy, the information security standards, and the information security procedures. These are described below.
Security Policy: The Why
The first step to implementing information security is not based on technology. It involves developing a security policy, a short document (2–4 pages) that explains why you want to implement security. If you cannot find a reason to implement security (which is doubtful), then do not. The security policy justifies the implementation of security measures. One should not implement security for its own sake; if you did, you would be letting technology drive the company, when the company should be driving the technology.
The policy should answer the following questions:
- Why is information security important to the company?
- How does information security support the company’s mission statement?
- What is the cost benefit of implementing an information security policy?
- What are the consequences of not implementing and complying with the information security policy?
The security policy will most likely not change very often and will refer to other documents described below for implementation issues and other details. The contents of the other documents and ultimately the implementation must be measured against the security policy, so it is important to get it right. If the organization is doing things not mandated by the security policy (which describes why you are doing it in the first place), there is no benefit to the organization and resources are better focused elsewhere.
Security Standards: The What
The security standards document accompanies the security policy and describes what must be secured to comply with the policy. It might refer to other departments’ documents (e.g., Human Resources requirements for confidentiality of employee data) or other standards and laws. It will identify an organization’s assets, the risk to the organization if those assets are not protected, and the threats that must be protected against. When a risk or threat is identified, the company must decide whether or not to deploy countermeasures (i.e., steps to reduce the risk of an event having an effect) or insure against the risk; such measures should not cost more than the asset is worth.
The security standards should explicitly identify all assets critical to the business and the degree of threat and risk that they must be protected against. We do not need to build Fort Knox if only backups are required. The standards should also explain the consequences of noncompliance.
Security Procedures: The How
Once the security standards define what must be protected and the degree of protection, the security procedures are developed. This document must describe what must be done to ensure compliance to the other security documents and can include information such as network configuration templates, frequency of backups, firewall implementation, incident response, and frequency of log inspection. Systems often record events—informational or critical—to a file called a log. This log could be on the same device that generates the message (e.g., a server, firewall, IDS, or router), or the log could be on a separate centralized server for correlation, prioritization, and notification of staff.
The security procedures document is likely to be highly volatile as procedures are adapted to new threats or installed systems (and as the other described documents change).
Before finalizing the security documents, one should have legal counsel review them to confirm that legal requirements are met and that there is nothing left that would hold the company liable for its inclusion or exclusion. Even with careful preparation, some requirements might be interpreted ambiguously, so appoint a single person or committee to interpret the documents in case a question arises. The policy should clearly state that the right of interpretation lies with this appointed person or committee.
The Information Security Domains
An organization known as ISC2 (pronounced ISC squared), which stands for International Information Systems Security Certification Consortium, has defined a set of ten domains for information security in their Common Body of Knowledge (CBK). They also offer certification in these domains for information security professionals. The domains include:
- Security management practices
- Access control systems
- Telecom and network security
- Security architecture and models
- Operations security
- Applications and system development
- Business continuity and disaster recovery planning
- Law, investigation, and ethics
- Physical security
|<mp3>http://podcast.hill-vt.com/podsnacks/2008q1/security.mp3%7Cdownload</mp3> | Information security|