But we have a Firewall and Anti-virus?

Security is so much more than that. 

  • We live in an interconnected world.
  • We have multiple forms of data/systems/services
    • Internal user data (HR and Payroll);
    • customer/partner data,
    • intellectual property and corporate strategy.
  • These are stored across multiple systems and databases.
  • These systems are accessible from desktops, laptops, mobile phones and tablets.
  • They are accessible over secure internal networks and/or insecure public wifi.
  • The systems interact with multiple cloud based systems (many with questionable privacy policies) in data centres around the world.
  • They are accessible from anywhere in the world.

So who is looking at your data?

What is Security?

The Security Triad makes an effort to capture the three pillars of security - Confidentiality, Integrity and Availability (CIA).

Confidentiality relates to preventing data being disclosed to unauthorised persons/systems. (e.g. Credit card details). We must ensure that data is stored and transmitted securely.

Integrity relates to assuring the accuracy and consistency of data. i.e. if when buying something from Amazon, I approve a payment of £100, but it turns into £1000 at the credit card processor, we have an issue with integrity.

Availability means we want our data, systems and services to be available when needed. It's no point having loads of important information stored nicely and securely if the relevant people can't access it! If you lose your car keys, your car is no longer available to you. If your laptop gets a virus, your laptop is no longer available to you.

The three elements Confidentiality, Integrity, Availability need to be balanced to the particular requirements of the organisation. If your systems are super confidential, but inaccessible, you have a problem. 

Every organisation is different. Thus the solution(s) will vary for each.

Elements of security to consider

  1. Governance Risk Compliance
  2. Application Security
  3. Security Strategy
  4. Human Resources
  5. Physical and Environmental Security

  6. Communications and Operations Management

  7. Access Control

  8. Information Security Incident Management

  9. Business Continuity Management

  10. Password Management

  11. Users

Governance Risk Compliance

Each corporate environment contains its own set of risks. It is necessary to identify, assess, prioritise (and/or accept) those risks; then mitigate appropriately.

Risks affecting a Fortune 500 bank are very different to those of a small web development company. How those risks would be mitigated will vary.

Whether it is EU Data Privacy, PCIDSS or Sarbanes Oxley; compliance is something that affects almost all companies to some degree. Ensuring conformance with information security policies, standards, laws and regulations is what compliance is about. Beware of check-box compliance or applying security features for the sake of compliance - security must serve the business.

For all the money being spent on managing risk and compliance, the C-levels (titles that rank chief executives like CEO, CFO, etc ) need a clear understanding of what is being spent, where and whether it is delivering as promised. This is governance.

Application Security

Ensuring your applications are architected, designed and coded to high, secure standards. 

Your applications are the doors and windows to your organisation - know what they all are; monitor them and when necessary close them.

Security strategy

Align security to the business and show that security is providing business benefit. Security isn't just a technical issue - every security decision must serve a business need. 

Information Security isn't an IT issue; it is a business issue. So long as it is viewed as an IT issue, the solutions will be tech-heavy, complex and opaque to business and non-IT staff.

Human resources

Security aspects for employees joining, moving, and leaving an organisation - Identity and Access Management (I&AM). 

Different employs require different access to corporate systems and software. More importantly; that access doesn't remain static during an employee's life with the company. Identity and access need to be managed and excess privileges need to be removed when they are no longer needed.

Identity Governance - The ability to report accurately and clearly on what identities exist and the access granted, at any time - and ensure that they are as they should be.

Privileged Account Management - Privileged users are usually the administrative and support staff. They invariably will have a higher degree of access than standard users. Ensuring that their activities are clearly audited and controlled is essential to prevent fraud.

Ensuring private staff data (e.g. home addresses, salaries and bonuses) remain private and accessible only by the right people.

Physical and environmental security

Protection of the physical computer facilities.

Communications and operations management

Management of technical security controls in systems and networks.

Access control

Restriction of access rights to networks, systems, services, applications, functions and data to those with the correct privileges.

Information security incident management

Recognising, anticipating and responding appropriately to information security breaches.

Business continuity management

Protecting, maintaining and recovering business-critical processes and systems in the event of an incident.

Password management

For the foreseeable future, passwords are a necessary evil for users logging into systems. 

Users need to learn/appreciate the importance of using strong passwords; using different passwords for different systems; password managers and multi-factor authentication.

Software needs to support strong passwords, store and manage passwords securely and support multi-factor authentication.

Users

Staff, Customers, Partners; they all have different needs and they all come from different backgrounds - they are the weakest link in any security system. 

Security should be transparent to all users and shouldn't require multiple complex settings to get right. The majority of staff in an enterprise don't come from a technical background, so the solutions should suit them and not require a Computer Science PhD to comprehend.

Security risks need to be translated in to concepts that ordinary users will understand and appreciate. Whether it is the password policy or data privacy; the better grasp that the users have on security protection, the more likely the enterprise/business will be kept safe.