Thinking Beyond the Product
Protecting information assets in the digital age
- By B. Scott Haroff
- Sep 10, 2009
Technology plays a dichotomous role in the
security of an organization's information
assets. While it enables us to protect assets in
ways we never imagined, it also can enable the very
threats that leave those assets vulnerable.
Regardless of the organization or the type of assets
being protected, one thing is true: technology—the
security products and solutions on which we rely—
can no longer stand alone.
Today's sophisticated business environment calls
for an equally sophisticated, holistic approach that
incorporates not only technology but also the people
and processes that will ensure technology achieves
our objectives for the protection of information.
During the last decade, threats have certainly changed
in character. Gone are the days when the most dangerous
risks to an organization were physical in nature.
Logical threats, such as hacking, viruses and digital
sabotage, have become more prevalent as technology
has proliferated. And those dangers are coming from
both internal and external sources.
That's why information security—the protection
of sensitive data and the infrastructure on
which it resides—has become one of the most topof-
mind concerns for security professionals. Unlike
many physical threats, the impact of logical security
breaches is typically far-reaching and long-lasting.
Organizations, with help from their security partners
and suppliers, must examine their current security
structures and develop robust, integrated programs
that effectively protect their networks, systems and
data. Such an approach can complement an organization's
business objectives, while enabling it to
identify vulnerabilities, assess and prioritize threats,
deploy efficient mitigation strategies and manage the
information security program.
Assessing the Situation
To adequately safeguard systems, an organization's security
professionals need to identify and understand
where it is most vulnerable. Only then can the appropriate
technologies, people and processes be implemented
to protect data assets.
A risk assessment can deliver insight about existing
opportunities for information technology systems
to be compromised. It can help determine how well
critical systems are protected, providing a detailed
analysis of both external and internal threats. Ongoing
assessments should be conducted to confirm
systems are protected, as well as to ensure strategies
and technologies remain effective.
Developing a Holistic Strategy
Once vulnerabilities have been identified, the ultimate
goal of any information security initiative should
be the development of a holistic strategy to protect
consumers, employees and the organization.
The implementation of a proactive, positive information
security model should be the first step in
the development of such a strategy. In tandem with
antivirus software, which proactively prevents intrusion,
defies hackers and identifies suspicious activity,
a positive model provides protection by allowing only
limited privileges to system users, applications and
data. Positive model programs do not rely on detection
of an intrusion before raising a red fl ag. Rather,
they create rules that define allowable activities and
restrict all else. This embraces a philosophy that fewer
allowed permissions yield the least opportunity for
threats. With this architecture in place, the system's
connectivity can be shut down if an action falls outside
the normal scope of operation.
A holistic information security strategy also should
incorporate technologies that are interoperable with
an organization's physical systems, such as physical
access control systems and personnel databases. Integrating
these systems with the logical access control
system can provide organizations with complete reporting
of employee activity, including information
about who is entering facilities and rooms, as well as
physically accessing computers and other devices, and
at what times.
This level of system integration also allows for
the creation of an automated workfl ow process that
executes automatically based on the business policies
and compliance requirements mandated by the organization.
For example, if an employee hasn't swiped
into the building, his or her account could be automatically
locked to prevent unauthorized computer
access. Furthermore, once an employee is removed
from the personnel database, the automatic removal
of that user from both physical and logical access
control systems can be triggered.
Engaging the People, Defining the Processes
The efficacy of information security relies, in large
part, on people. Each person should be aware of security,
understand his or her role in mitigating risk and
be committed to providing protection. Processes—
and training programs to ensure the understanding
and adoption of those processes—must be in place
to enable all employees to understand rules, roles and
Staffing is critical to the successful deployment of
information security technologies. Before selecting
and deploying technologies, organizations should understand
the staffing that's needed to effectively and
efficiently implement and manage technology. Even
the most proactive, sophisticated security technologies
can be rendered useless without the people and
processes needed to support them.
As the industry continues its focus on the protection
of critical systems and data, we must all go
beyond the product. We must place equal emphasis on
the people and processes that will ensure we maximize
the technologies that were designed to protect our