Often the hardest part about overhauling an organization’s IT security program is knowing where to begin. In this guest post, security pro Ryan Halstead has some advice on getting started.
Starting an information security program is a complicated process. Establishing and justifying the budget is the first step – but then where do you begin once you get approval?
Without a plan, starting a formal security program can be intimidating. Consider these five strategies for starting an information security program:
1. Designate a security representative
Even if you don’t have the budget for a dedicated security technician, it is important to appoint someone the de-facto “security contact” for the organization. Depending on the environment or business, this person can be of any technical background, including support or help desk staff.
The most important skill to have is a good customer service skills and a willingness to work with people who don’t understand information security. Additional budget will be easier to secure if the person can effectively communicate the value of security to the rest of the business.
2. Centrally manage IT security
Don’t expect your new security technician to immediately secure all business processes and programs. The security tech should serve as a central point of authority (or as an “auditor”), ensuring policies and procedures are followed. When security fails, the security tech should provide remediation services and document how the incident was handled.
The security technician should also ensure workflow or development processes within the IT department are closely observed. At the client or desktop level, the security tech should be checking OS and software updates and verifying that antivirus signatures are up-to-date. Best bet: Start small and don’t try to secure the entire company at once.
3. Define and document critical information and processes
Many small-business IT environments are not well documented, if at all. The key employees simply know the business, which usually includes business-critical programs, processes and dependencies. A major introductory task for your security representative will be starting the documentation process. The documentation should clearly define business technology processes, the dependencies and how they interoperate.
The process of definition and documentation will also yield a very important dividend: creation of vital business continuity and disaster recovery planning materials. This documentation will provide for a quicker recovery, should a disaster strike the company.
4. Gather data about your network
Gathering information about the network will equip the security technician with a baseline of what “normal” should look like. While this process can be as simple or complicated as you make it, there are some important factors to consider.
Determine what you need to collect. All information is valuable in the right context: too much information is worthless if it overwhelms the observer. Establish what technology is important, and start at that point. If Internet bandwidth is important, start gathering usage statistics at the network edge, and pay less attention to the internal network at first. However, internal network monitoring can be the best way to quickly determine overall network health.
Some online research will yield a broad array of free network monitoring tools – begin to incorporate these tools to better understand your network and associated information environments. Be sure to talk about budget for storing this information, if you choose to keep it – networks logs can use a surprising amount of disk space.
5. Educate users
The single most important security consideration on your network is the user, and educating the user is probably the most effective use of your security tech’s time. Users are often the easiest way for outsiders to access your information.
Passwords, data hygiene, and how your users react to phishing and social engineering attempts will determine how secure your information will remain. Spending time educating and training users on good security practices is one of the best ways to use your security technician.
Starting a security program is a big step – but it shouldn’t be overwhelming. By using common sense and best practices, you can build a good security foundation. Engaging the information security community is also important. Developing relationships with other security staff in similar business sectors will help you better understand the nuts and bolts of security. But never assume you won’t fail: no system is ever totally secured. Be sure your security staff has access to incident response and remediation resources. Be calm, and use your head – and fully support your security staff every step of the way.
About the author: Ryan Halstead, CISSP is the Security Services Manager at Missouri Southern State University. His blog is located at blog.allocatedsecurity.com where he writes about security management and best practice. Opinions are his own, and do reflect those of his employer.