Another View: Don't let cybersecurity bug you
- By Amit Yoran
- Sep 18, 2002
Cybersecurity sometimes seems like a hopelessly complex subject, with a diverse and colorfully named range of threats. Recent viruses on the most-active lists include Klez.I, Grade A, and Dadinu, plus the reliable Nimda and Code Red worms.
But if you are organized, the task of securing your networks might not seem so daunting. Here's a blueprint for protecting your agency networks from the damage that viruses and intrusions can do.
Step 1: Appoint a chief security officer to supervise protection initiatives. Some agencies put the onus for security on their network administrators. They often don't know how to prioritize information security against other IT initiatives. A CSO can ensure that security gets the right level of attention and that policies are uniform across the agency.
Step 2: Ask questions. Your research should answer such queries as: What are the agency's IT assets? What needs to be protected? What are the acceptable levels of risk? How should we respond to security-related incidents?
Step 3: Review current policies and practices to identify weaknesses in security management. Always view policies and procedures as works in progress to be continuously evaluated and modified to meet changing security requirements.
Step 4: When you implement security initiatives, do so in an orderly manner according to a priority list. Early initiatives might involve security assessments by third-party organizations. It is important that you hold off on these tests until your security requirements and strategy are formulated. Your contractor will need this information before conducting an assessment.
Step 5: After you've created a comprehensive security policy, document it.
Step 6: Pay a lot of attention to implementation, then enforcement and monitoring of the security policy. Don't assume it will get done right.
Step 7: Establish regular training programs to keep people aware of and accountable for sensitive data.
Step 8: Purchase, integrate and configure security technologies'firewalls, antivirus and intrusion detection software, for example'identified as critical to meeting the security objectives.
Step 9: Conduct regular technical vulnerability assessments to ensure that you identify and neutralize emerging weaknesses. Quarterly reviews used to be sufficient. In light of today's heightened threat levels, many agencies might require more frequent assessments.
Step 10: Constantly monitor your networks. While most organizations today mitigate risk by implementing security products and hiring consulting services to perform audits, these are not sufficient. Just as organizations use security guards to notify them of a breach in physical security, agencies must do likewise for information security.
A successful security strategy is driven from top agency executives. But program and technical managers must buy in. A successful strategy will link specific tactical security initiatives to people, processes and technology.
Even though the steps highlighted here are brief, they present a solid and coherent approach to developing and implementing a sound security strategy. Amit Yoran is vice president for Worldwide Managed Security Services Operations at Symantec Corp.