Getting IT security priorities right
Information security should protect the company's important assets, be transparent, unobtrusive and always up-to-date, and of course cost nothing. There is not a magic formula to achieve all this but with a structured approach you can fulfill at least two of these five wishes: High levels of protection and always up-to-date.
The first step: The organizational security policy
As hard as it might be, the simple premise of making fundamental considerations at the start of a project also applies to IT security. An organizational security policy governs all areas of information security within an organization. It describes the most important factors relevant to IT security for the company and should include references to regulatory requirements, industry standards, internal compliance requirements and best practices. Probably most companies have already taken this step, if not, there are lots of instructions and templates on the Internet for managers to follow. A security policy may include general instructions on how to implement IT security or it may also include specific security procedures or reference another document describing such procedures. For example, that remote access must be protected by a VPN and which encryption algorithms are necessary for this.
Know what you have: Keeping an inventory of the network
Nothing is more constant than change and this also applies to network infrastructure. The chances are good that the network infrastructure for most companies will change month by month through new hardware or new services such as cloud connectivity and mobile technology. It is therefore even more important to maintain a clear picture of the existing infrastructure, including applications and their security policies. It is easier to achieve this with the appropriate tools: One to inventory assets and topologies and another for mapping compliance levels.
It's like building a digital house: Once the architecture and topology are aligned with corporate policy, you can begin to lay the foundations with specific measures even if these cannot be implemented entirely in existing systems.
The architecture should be aligned with the security zones defined in the security policy according to the application risk matrix. Perimeter defenses are no longer enough today. Internal network segmentation for east-west traffic can help to hinder or prevent lateral attacks.
Plugging holes: Putting theory into practice
If you've followed the instructions so far, you'll have a good blueprint of your network, applications, and application security policies. Nevertheless, there will be differences between target and actual scenarios which you will need to find and fix. This includes examining and configuring devices which enforce the security policy in practice including firewalls, routers, VPN gateways and switches.
The never-ending story: Keeping change management under control
It's a fool’s game just to set and forget. Best practice information security follows the PDCA cycle: Plan, Do, Check, Act. A continuous process is necessary to ensure that infrastructure is not only secured but also that security levels are improved and maintained over time. Any configuration change can potentially tear holes in the security measures and breach the security policy. Change management processes are often part of audit requirements to address this issue. This means that managers must not only check whether the desired change is compatible with the security policy, but also name those responsible for it and document it in an audit-proof manner.
Being prepared for audits
Rumor has it that some companies only implement IT security measures at face value when an audit is around the corner. As soon as the auditor leaves the building, all best practices are thrown out of the window. This not only has fatal consequences for information security, it is also very costly behavior. All expenses incurred in organizing and securing infrastructure will have been in vain. With a bit of luck, the measures described in this post should result in solid and well-documented measures that are maintained actively to keep us from returning to the bad old days of negligent security on many levels. If a company has set out its information security policy according to best practice, the chances of achieving this are very high.