(Week 4 of 4)
by Michael McKinzie, CISSP
Well as we are in our final week of this series with just a few comments I will briefly summarize and conclude this topic as best as I can. One reader indicated his organization currently uses a strict policy about internet use, and content is blocked based on type or category. I support enforcing a computer use or internet use policy with content filtering. It would be interesting to know if the organization blocks access to webmail and social media sites in addition to the standard blocked categories or at least have a more detailed understanding how they handle this. These sites pose certain risks due to their public and widespread use and since they are easy mediums to transport or publish potentially sensitive information. I understand it is neither feasible nor common practice to “lock-down” the network to prevent any and all access to the outside world. Although I do not think most users are malicious or have ill intent, but employees changing jobs, facing a lay-off or just disgruntled may not keep the company’s best interest in mind.
Recommendation #1 – Use ISO 17799 as a Guide for Information Security
This recommendation ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It may provide a good foundation which you can tailor to your needs and industry.
Recommendation #2 – Implement an End User Computer Use Policy & Awareness Program
Although it is only one component, it can be powerful by just informing users there are consequences to their actions and they can and will be held accountable. This should be handled by IT, Legal, and Human Resources or drafted by a contracted Law firm in the event legal action is necessary. I believe keeping the End User Computer Use Policy very simple and concise is an effective approach. It should be updated, and revised as necessary and presented periodically for instance during employees’ annual performance reviews.
Recommendation #3 – Auditing & Logging
An easy and often neglected area is simply turning on user auditing and logging. You may not have the resources physically (manpower) or technically (software) to capture, review and manage all interesting network events, but even native Windows and Linux (audit daemon) auditing can give you quite a bit of information about users’ behavior and mis-configured users and systems. Random reviews might be enough for your organization but there are a number of open-source utilities, commercial applications and even managed services which will aggregate, and correlate the data. In addition most event management systems and services will alert or take action based on the event and defined policy.
Recommendation #4 – Control the Data at the Endpoint
Many organizations have established multiple locations or a mobile work force to compete effectively, serve widespread customers, and increase domestic and international presence. This paradigm has created new challenges for IT departments not only in terms of supporting this infrastructure but to maintain reasonable control over company data. Based on a 2008 PC World survey (http://www.pcworld.com/businesscenter/article/147739/laptops_lost_like_hot_cakes_at_us_airports.html), over 10,000 laptops are reported lost or stolen each week from the 36 largest airports in the U.S. This is just one facet of data loss not including such risks as lost disks, tapes, malicious attacks or users, mis-configured systems, accidental data incidents and so forth.
- Endpoint Security and Full Disk Encryption (FDE) should be a consideration especially as it can be a very effective solution for lost or stolen devices.
- Apply appropriate rights and permissions to prevent accidental or intentional data discovery. I have personally seen many “snooping” incidents where users are curious about what others earn in the company, or interested in personal information which may be on file with Human Resources.
- Enforce Web and Email Content Filtering. Implementing tools to help mitigate and prevent accidental or intentional data leakage is an effective way to protect sensitive information being sent right out the front door.
Recommendation #5 – Hold Affiliates and Business Partners Accountable
Understand how your data flows through business processes and if the data is shared or provided to third parties. Hold your affiliates and Business Partners to high standards in protecting this data as you both fall into a chain of responsibility which may have legal and monetary consequences. Sharing your concerns and security policy may be an effective way to collaborate and improve the security posture for all interested parties.
Recommendation #6 – Have an Incident Response Plan
An incident response program can be very involved and resource intensive. A number of security companies provide services in this area, but an organization may implement a simple plan to handle the technical and logistical aspects. Organizations may want to prepare a notification plan to let affected persons or parties know the details, and recommended actions in the event a security incident occurs.
I appreciate the time you have spent to read our blog and we hope you find the information useful or provide some points for discussion. I think the way technology continues to evolve will provide a constant challenge to maintain security and privacy. It is important for security professionals and organizations to continually adapt and share information to battle security threats. Our goal is to help organizations find better and practical ways to implement and manage security. If you have questions or comments, I can be reached at firstname.lastname@example.org