Managing the information assets of the organisation
Manage all identities and access for all users of those assets
Train all the different users who need access to those information assets.
Governance Risk Compliance
Physical and Environmental Security
Communications and Operations Management
Information Security Incident Management
Business Continuity Management
Managing Information Assets
Knowing all the information assets within the organisation; this is the first step toward protecting them. Each asset needs to be assessed both in isolation and as part of the wider enterprise.
What are the crown jewels that the business relies upon? Are they adequately protected?
Does this asset serve a business purpose?
Have default accounts been changed/locked?
Have default passwords been changed to something cryptographically secure?
Is it running the latest software version?
Is it still supported?
Has it been patched?
Is privileged access to the asset, controlled and audited?
Who has access? Do they need access?
Is it licensed?
Manage Users’ Identities and Access to Assets
Different members of staff, third-party contractors, temporary staff, customers, partners and any other actors, all need different types and levels of access to different systems at different times.
These identities and access rights need to be managed appropriately.
Train the Users to understand the value of the information assets, and use the Information assets appropriately
Intellectual Property, HR Data, Payroll, Credit Cards,
It is essential to train users about the criticality and sensitivity of the information they are handling, so they manage it appropriately. Different user groups will manage different assets. The information that HR is privy to, will differ greatly from what the Sales team will deal with.
Security should be transparent to all users and shouldn't require multiple complex settings to get right. The majority of staff in an enterprise don't come from a technical background, so the security solutions should be simple, and not require a Computer Science PhD to comprehend.
Security risks need to be translated in to concepts that ordinary users will understand and appreciate. Whether it is the password policy or data privacy; the better grasp that the users have on security protection, the more likely the enterprise/business will be kept safe. The technology should then be used to simplify and automate, wherever possible.
Governance Risk Compliance
Each corporate environment contains its own set of risks. It is necessary to identify, assess, prioritise (and/or accept) those risks; then mitigate appropriately.
Risks affecting a Fortune 500 bank are very different to those of a small web development company. How those risks would be mitigated will vary.
Whether it is EU Data Privacy, PCIDSS or Sarbanes Oxley; compliance is something that affects almost all companies to some degree. Ensuring conformance with information security policies, standards, laws and regulations is what compliance is about. Beware of check-box compliance or applying security features for the sake of compliance - security must serve the business.
For all the money being spent on managing risk and compliance, the C-levels (titles that rank chief executives like CEO, CFO, etc ) need a clear understanding of what is being spent, where and whether it is delivering as promised. This is governance.
Ensuring your applications are architected, designed and coded to high, secure standards.
Your applications are the doors and windows to your organisation - know what they all are; monitor them and when necessary close them.
Align security to the business and show that security is providing business benefit. Security isn't just a technical issue - every security decision must serve a business need.
Information Security isn't an IT issue; it is a business issue. So long as it is viewed as an IT issue, the solutions will be tech-heavy, complex and opaque to business and non-IT staff.
Security aspects for employees joining, moving, and leaving an organisation - Identity and Access Management (I&AM).
Different employs require different access to corporate systems and software. More importantly; that access doesn't remain static during an employee's life with the company. Identity and access need to be managed and excess privileges need to be removed when they are no longer needed.
Identity Governance - The ability to report accurately and clearly on what identities exist and the access granted, at any time - and ensure that they are as they should be.
Privileged Account Management - Privileged users are usually the administrative and support staff. They invariably will have a higher degree of access than standard users. Ensuring that their activities are clearly audited and controlled is essential to prevent fraud and the insider threat.
Ensuring private staff data (e.g. home addresses, salaries and bonuses) remain private and accessible only by the right people.
Physical and environmental security
Protection of the physical computer facilities, data centres, hardware, CCTV, building access etc.
Communications and operations management
Management of technical security controls in systems and networks.
Restriction of access rights to networks, systems, services, applications, functions and data to those with the correct privileges.
Information security incident Event management
Recognising, anticipating and responding appropriately to information security breaches.
Business continuity management
Protecting, maintaining and recovering business-critical processes and systems in the event of an incident.
For the foreseeable future, passwords are a necessary evil for users logging into systems.
Users need to learn/appreciate the importance of using strong passwords; using different passwords for different systems; password managers and multi-factor authentication.
Software needs to support strong passwords, store and manage passwords securely and support multi-factor authentication.