This article is part seven in a twelve-part series on information security fundamentals for small and medium-sized businesses.
Information security isn’t a destination. It’s a journey.
If you’ve read the previous articles in the series, you’re already aware of many critical information security controls that every business owner should implement. You’ve probably also come to the understanding that these controls aren’t going to maintain themselves. Someone is going to be tasked with day-to-security information security operations, and that someone will need to know what his/her responsibilities are.
A good way to identify these day-to-day tasks is to begin by imagining your information security program as a castle. You keep the sensitive data safe deep within the treasury, with layers of controls to keep that data safe from attackers. These defense-in-depth controls include:
• Network perimeter controls (moat, walls, drawbridge)
- • Host system controls (castle guard)
- • Data controls (locked treasury gates)
Your security team should begin by implementing appropriate network security controls. A properly configured firewall is considered an essential control, although more security-conscious businesses implement additional controls such as an Intrusion Prevention System and strong controls around their wireless networks. Your Network Security Policy will provide guidance for both employees and support staff regarding the controls that need to be maintained.
Your security team will also need to maintain an endpoint security solution on all systems in your IT asset inventory. At a bare minimum, this solution should provide antimalware protection. However, endpoint security solutions can do much more than fight malware. They can also prevent users from connecting unauthorized USB devices to your equipment, restrict users from transferring company data to other devices, and encrypt sensitive data.
Speaking of encryption, it’s absolutely essential that you encrypt sensitive data at rest and in motion. An SSL certificate on the ecommerce website will protect customer orders, but you also need to install SSL certificates for any web-based admin consoles to prevent attackers from stealing IT usernames and passwords.
And what about the data on your workstations and (more importantly) laptops? If you’re not encrypting data at rest, then you’d best brush up on your security incident response procedures for that inevitable report of a lost or stolen laptop that contains unencrypted customer data.
Although your security team will have their hands full maintaining these network and host security controls, what happens when something changes? It’s hard enough to maintain these controls in a controlled, unchanging environment. An unexpected change can really throw a wrench in the works.
In order to protect your business from change-related incidents, you need to document your expectations in your Change Management Policy. This policy should explain how employees can request a change, as well as who can implement those changes and when.
Once you begin controlling these changes, the value of non-production systems for testing purposes will become apparent. You should never test your changes in production. Ever.
If you don’t yet have a solid change control process, chances are that you’ve had to restore a broken system or application from backup. That’s why an Information Systems Backup Policy goes hand-in-hand with your Change Management Policy.
Document what you’re going to backup, how often you plan on performing backups, and how you intend to secure those backups. Oh, and don’t forget to test your backups on a regular basis. You don’t want to be in the middle of production down incident when you discover that your backups are broken.
With all of these preventative controls in place, your team will be ready to dive into the bulk of their day-to-day responsibilities: monitoring. Having visibility into what’s happening on your network and your systems will give you the most bang for your buck.
Reviewing audit logs for suspicious activity, whether via an automated or manual process, will enable your team to detect when an attack has slipped past your layered defenses. More importantly, it will enable your team to respond quickly, reducing the impact that the incident could have on your business.
Finally, don’t overlook all of the contractors, consultants, partners, and other non-employees who have access to your network and your systems. Document your security requirements for these people in your Third Party Connectivity Policy in order to ensure that you haven’t left the back door unlocked for anyone who might be tempted to abuse the access you’ve granted them.
Accounting for all of these controls will help you better understand (and document) your day-to-day security operations procedures.
To recap, every business owner should do the following:
- • Implement appropriate network security controls
- • Document a Network Security Policy
- • Install endpoint security software on at-risk systems
- • Encrypt data at rest and data in motion
- • Document a Change Management Policy
- • Implement non-production systems for testing purposes
- • Document an Information Systems Backup Policy
- • Test backups on a regular basis
- • Review audit logs for suspicious activity
- • Document a Third Party Connectivity Policy
In the next article, we’ll tackle Access Management.