Plan for Your IT Security Spring Cleaning Now!
It is still early in the year and a perfect time to plan your Spring Information Security Cleaning. In 2014 Sony, JPMorgan Chase, and Home Depot were some of the bigger names that joined the growing list of companies that have had their systems breached, and no organization wants to join this list. Knowing there is no single solution to security, a “Spring Information Security Cleaning” needs to be thorough and cover all essential areas. Here are a few suggestions to get you started:
- Review your enterprise's security policy and reaffirm it with a commitment from executive leadership (President / CEO). If you don't have a security policy, you need to develop one that has buy-in from the top leadership. Similarly, if it has been more than 12 months since you reviewed your security policy, significant updates may be required. Remember, executive buy-in is a requirement.
- Know what needs to be protected. While it's a goal to protect 100% of all enterprise assets, the sobering reality is that customer data, intellectual property, and trade secrets have a higher priority in protection than sales and marketing collateral that is typically posted on the Internet.
- Review all extranet connections and determine what security controls are in place. For example, an HR partner may be critical to issue paychecks, but how far into your enterprise network can the HR partner reach versus how far should they reach? Is there accountability for every physical server, router, and firewall by name (or at least vendor)? In the virtualized world that we live in, which virtual machines sit on physical servers? Most importantly, are the assets you manage properly patched with default passwords removed and non-essential services turned down?
- Does your enterprise have a device policy? Smartphones and tablets have become essential business tools and have their own security challenges. What about BYOD (Bring Your Own Device)? Should you consider a service like AT&T Toggle that partitions the device between personal and business use? If you have a device policy, review it - if not, it is time to develop one that suits your enterprise. Device concerns on data protection, acceptable use, and wiping data in case of theft need to be addressed by every organization.
- Make sure that the acceptable use policy is clearly documented and available for all associates and contractors. Internet access to social media, including YouTube, may not be bad, but has to be part of the acceptable use policy. With access to social media comes the responsibility that employees adhere to acceptable communication standards.
- Incident response planning is a necessity and helps determine who to contact both internally and externally, who to communicate with, and what recovery steps are required. This should include a periodic drill to understand what challenges exist in the communication process during a breach.
It's easy to write a list of what you should do, but implementing these steps is not easy. Look for the best practices from supportive industry groups, professional services, and sometimes, common sense. When you have accomplished these steps, do not put a check near the task and ignore it until next year. Security is an on-going process, not a one time project.
Michael Sidman has 15 years of security and networking experience at AT&T, supporting banking, insurance, utility, and manufacturing clients with a number of issues including DDoS mitigation, SIEM, and Firewalls/IDPS. Michael lives in the Cleveland area and is a Certified Information Systems Security Professional.