Print view

The adage “an ounce of prevention is worth a pound of cure” is particularly true for IT security. Frequently, by the time an attack has been discovered the damage has already been done.

Many attacks come in the form of viruses, trojans, and bots. They can reside on a system for days, weeks, or even months before being discovered. During that time they can monitor your key strokes, view your data, and change or corrupt valuable information.

Intrusion detection systems have their place but remember:

prevention, prevention, prevention!

IT security must be considered in a framework of security as a whole, as it relates to your business. A great example of this is the attack on the London office of the Somitomo Mitsui Bank, where criminals were able to place key-logging devices on computers to try to steal £220M. (approx $350M).

Physical security must work with IT security to make the business secure.

Best Practices

With any process planning it helps to define some high level goals and methodologies. Creating a working set of best practices helps align separate and potentially isolated IT programmes. A management framework is needed so everyone knows what to do (policy, internal controls and defined practices).

To be truly effective a guide for best practices should:

• Support the regulatory requirement needs of your business - core business.
• Avoid duplication of effort - efficiency.
• Reduce dependency on technology experts - cost reduction.
• Make it easier to leverage external assistance - interoperability.
• Reduce risks and errors - cost reduction.
• Improve quality - cost reduction/reliability/customer satisfaction.
• Improve the ability to manage and monitor - cost reduction/efficiency.
• Increase standardization - cost reduction.
• Improve trust and confidence from management and partners - business reputation.

You would be amazed how many companies make significant investments in IT security only to have it be forgotten and allowed to stagnate. Unfortunately, security breaches are a growing market, both from amateur hackers and dedicated industrial espionage agents. The complexity of these attacks is also escalating so the responses must be dynamic to effectively prevent them.

Another security weakness that is frequently overlooked are your employees. Either through malice or accident, statistically your own employees will account for at least a third of all security breaches you experience.  

Effective prevention is through coherent planning and the development of best practices to prevent the “opportunities” from occurring. C3SC will provide tailored operational models for your environment that keep security processes and procedures fluid to adapt to change as needed.

A Security Policy

This is your base line. It sets out what you want to achieve and communicates it to management, employees, customers and auditors. It will define your organization's approach to security and set expectations. It differs from a plan by concentrating on strategy, whereas a plan will define the specific actions and procedures.

It is important to start with a policy. The policy will provide a framework for a coherent plan and help avoid duplication of effort and counteractive processes. A proactive approach now will reduce your exposure and the impact of security violations when, not if, they occur.

The ISACA has stated "The consistent enforcement of information security policies and standards...are critical elements in the success of a security system".

At C3SC we have skills and experience to create a policy specific to your organization. No matter what size of business we will focus on your business needs and deliver based on your requirements.

Examples of typical elements included in a comprehensive policy:

• A Code of Ethics
• Acceptable use
• Responsibility
• Due care
• Privacy
• Business unit specifics
• Consequences of violations
• Summary statement of approach and objectives
• Support regulatory requirements

For more information, if you want to create a policy for yourselves, go to the information section for examples and suggested components.

Security Planning

This is where it should all come together.

The policies and vision need to be combined with industry best practices, focused on your environment to create a total security plan.

In addition to the specifics of security, it must also comprise:

• Risk mitigation and avoidance
• Analysis of current capacity and practices
• Implementation plan
• Communications plan
• Maintenance plan
• Future development plan

The security plan should address initial tasks, ongoing procedures, and assessment matrices. It is only by creating a living, evolving security plan that you will achieve security today and stay safe tomorrow.

Although initially daunting, these components should naturally flow from one into the next, seamlessly. The final product being a realistic and achievable secure business environment.

Vision & Policy

C3SC will perform initial evaluations, interviews, assess scope, requirements, and create a policy for your environment.

It will be:

• practical
• understandable
• adaptable
• comprehensive
• aligned with your business strategy and goals
• relevant to your business partners
• designed to improve the quality of your IT systems
• a statement of the business purpose and benefits of a policy

Plan & Implement

C3SC will work with you to develop objectives. We will create an implementation plan, mindful of resource availability and existing technology infrastructure. We will ensure it is supportable by existing resources. It can be executed by your own staff, a third party vendor, or by C3SC staff, with or without C3SC providing implementation management services.

It will be:

• designed to fit your business needs
• a natural extension of the policy statement
• low impact on your business performance and ensure continuity of business functions

We will produce supporting project and operational documentation. We will train any project and operational staff necessary.

Measure & Evaluate