Recommended check-list for IT manager of a large company: Create infosecurity program.
Nowadays companies struggling with information security threads have a clear understanding of how 1) valuable information can be and 2) how hard it is to protect, especially in light of recent security breaches into such corporations as Apple, Facebook and Reddit, this might seem as nearly impossible. So some CEOs give up, which they shouldn’t at no circumstances. Infosecurity is just a challenge of modern environment, not an unsolvable puzzle.
Standard ISO/IEC 27001 are considered exhaustible guidelines on goals and objectives as well as roles allocation and elements in a infosecurity system. However, these instructions are formal and dry, without any practical examples from where to begin and how to proceed. A manager can study cases of other companies, but the context always differs, making them at large inapplicable.
I have a large and substantial ITSM consulting experience in corporations and startups I drew up my own scheme or concept of how a corporate infosecurity should look and how to function.
1. Information security policies and strategies
This might seem like an unnecessary, bureaucratic procedure – why not just establish ISO/IEC 27001 in the company and forget about it? Use these security guidelines as the basis, align your policies with it, but set clear goals, objectives and attitudes to information security yourself, making them unique. This will serve as an additional security measure. What is more, remember to always have someone specifically responsible for security; if you can allow to have a whole security department, appoint one manager to perform this role.
Another important element is 24/7 monitoring for disruptions, and first things first, determine what is a “disruption” that in your company may lead to disaster – an error or a bug have the potential to develop into a security breach if you don’t detect them at an early stage. Then you need to establish a monitoring system that would detect and capture the data; also set right call-outs and key points and as establish proper escalation policies.
When it comes to monitoring, I strongly advise to set a DevOps-oriented Proactive system. Proactive monitoring means you don’t wait for breaches to grow into disasters – you find and target them before they will cause damage.
3. Incident logging
Each piece of data about disruptions can turn out to be critical for the information security and health. Every attribute may turn out as important, so each log should include – but not be limited to:
To properly study a disruption it is crucial to collect an exhaustible amount of data and log it for further analysis. I believe that each log should consist of – but not be limited to:
- Identification number
- Logging date and time
- Resolution details
- Closure date and time
- Impact and urgency of the incident
4. Logs analysis and post-analysis
As I’ve mentioned before, logs need to be further analyzed to determine the cause and probable effect. You can apply to your log data many kinds of analysis: incident pattern recognition, event classification and tagging, correlation analysis, etc. Having received comprehensible information from the analytics, keep it in a Known Error Database and use for Continual Service Improvement purposes.
You might not know about it, but log analysis is among the hottest DevOps trends at the moment. As Joe Beda, CTO and Founder of Heptio and recognized DevOps expert said: “Being able to say ‘show me all the logs impacting customer X’ is a huge, powerful step forward”.
5. Knowledge base
As I’ve already said, no data and information should be discarded after you’ve made short-term conclusions – everything should be stored in one system. This is not a storage waste at all – you’ll definitely will need it for a report or when faced with similar problem. What is more, united in one knowledge base, the data will greatly come of use for support team, R&D department, financial and HR units and even CEOs.
6. Problem management
When an information security incident occurs again and again, it’s high time to escalate it to a problem and assign it with high priority. This is where Knowledge Database and KEBD proves extremely useful. Moreover, resolution of problems like that should be coordinated with the current corporate security strategy and guidelines.
Information is an extremely sensitive aspect, so my advice is to implement the mechanism of a proactive problem management. This process is based on the similar principle as proactive monitoring; by predicting and preventing problems from happening, it’s less troublesome to resolve them when they occur.
7. Vulnerability and Risk management
IT infosecurity infrastructure is usually large and complex, consisting of numerous devices, hardware and software. None of them is obviously invulnerable, so in order to prevent major breaches and protect the system from partial or overall outage, it’s better to allocate time and resources for risk and vulnerability management.
Since no element of corporate hardware and software system is impenetrable, vulnerability and risk management are absolute musts for a solid infosecurity. To begin with, establish a risk evaluation register – correlation between the level of risk and rationality of this or that application usage. Let’s take an example: you introduce a new application into your corporate environment and instead of simply installing it
First of all, establish a risk evaluation register – correlation between the level of risk and rationality of this or that application usage. For example, you want to introduce a new application into the corporate ecosystem. Having found a seemingly insignificant security vulnerability, the team and CTO should not brush it off – instead, guided by the established risk evaluation register they will understand how rational it is to install it. Similar scheme applies to regular vulnerability and risk system appraisals. And of course, these checks and evaluations should be properly documented and kept in the Knowledge Management base.
The criteria that determine the effectivity of a corporate risk management, according to an IT management expert Ilia Sotnikov are the following:
- the system properly functions and identifies risks
- it resources are not spent on insignificant risks
- it provides a clear risk profile to CEOs
As you can see, everything in this system is interconnected – the ultimate tool for infosecurity turns out to be… information, but of different kind. In this article I only outlined the concept of infosecurity infrastructure; in the 2nd part of the article I’m going to compare the market leading tools for the infrastructure organization, so stay tuned.