By Ivo Georgiev and Brian Lehmann
Introduction
You have anti-virus, anti-spyware and anti-everything else installed on your PC's, you have a firewall and you know that your PCs are set to automatically update Windows as soon as the next patch is released. Now that you have started securing your information technology, you quickly realize that there are an endless number of ways to spend your company's limited IT budget. How do you know where to spend your next IT Security dollar wisely? How do you convince others that you are going to spend IT dollars well? An established set of security standards can help your organization reduce the cost of establishing and managing a corporate security policy.
Adopting an Information Security Standard
One of the greatest benefits of adopting a set of pre-defined standards is the time and money you will save determining what is acceptable and appropriate in your current IT environment. Standards set by experts will provide more than adequate guidance, so there is no need to reinvent the wheel. PCI DSS (Payment Card Industry Data Security Standards) is a great place to start.
All companies that process credit card transactions need to comply with PCI DSS, so any dollar spent securing an IT environment according to PCI DSS will ultimately be money well spent. Of the many standards, frameworks and guidelines in the IT world, PCI DSS addresses real world issues (reducing the likelihood of credit card related security incidents) without being overly vague or too industry specific.
Furthermore, PCI DSS is based on security best practices. This means it can be successfully applied to protect any kind of confidential personal and business data. Adopting and implementing a security standard will also help maintain compliance with data privacy legislation such as PIPA and PIPEDA.
PCI DSS Requirements
Within PCI DSS, there are a number of areas where limited resources can make visible progress in a short period of time.
Firewall Review
Initial firewall installations are typically carefully planned and delivered. However, firewalls and their configurations need attention on a regular basis. Over time, a company’s needs change as does the network that the firewall protects. Firewalls also require updates to their own software as part of routine maintenance. Documenting the current configuration, justifying the current rules that are in place, properly mapping the underlying networks and their connections all demonstrate control over the IT environment. They also reduce the costs associated with managing the firewall when changes are necessary in the future. Third parties and new employees can understand the firewall and the network in much less time when the firewall is properly configured and documentation is complete.
Vulnerability Assessment
Testing a network for vulnerabilities both from inside the network and from the outside can dictate where IT funds need to be spent. New vulnerabilities are always arising, so it is no surprise for an organization to have issues to address, but how vulnerabilities are handled is critical. Proper prioritization, eliminating or reducing known vulnerabilities wherever possible and tracking the number of vulnerabilities and their solutions over time are all key components of sound IT management. Identifying your vulnerabilities and addressing them long before they are uncovered during a formal IT audit can reduce the likelihood of critical data being compromised. At the same time, the risk of embarrassment and the stress on the IT department from technical staff right up to the CIO level are also reduced.
Password Policy
Password policies are often an easy way to start implementing security policies within an organization. Once the first policy is in place, additional policies, such as acceptable Internet use, become much easier to implement. Complying with a set of standards often drastically reduces the amount of time required to negotiate what rules are appropriate within a company. PCI DSS defines rules for how passwords should be managed, including the basics such as minimum password length and maximum password age. HR and IS can work together to build a set of corporate policies to be accepted and signed off by all employees as part of their employment. An effective password policy goes far in addressing internal security breaches which are a possibility in any organization.
Incident Response Procedures
Although major disasters are rare, other incidents which negatively impact organizations happen much more frequently. Calling in the correct staff or third parties as early as possible improves the likelihood that the incident will be resolved with the minimum possible impact and cost. PCI DSS requires that an Incident Response Plan exists and offers guidance in creating one. Designating roles and responsibilities, effective monitoring and ongoing improvement are key components of PCI DSS compliance.
Other PCI DSS requirements may demand considerably more effort. Those who develop software systems internally will want to consider security upfront in their design rather than retrofitting it once an application is in place. As you work through subsequent PCI DSS requirements, it is imperative that systems are implemented with the capacity to not only address current concerns but to also satisfy any future issues that may arise. For example, if you are going to be purchasing remote access equipment, start thinking about two-factor authentication. There is little to gain from investing in solutions that will ultimately fall short during future compliance audits. A well thought out and implemented system will preclude the need for crisis security management down the line.
Often companies find their first compliance exercise the most difficult to organize: estimating time requirements is not always easy; internal templates typically do not exist, and existing documentation is rarely complete and up-to-date. However, in today’s business environment, organizations face an increasing number of regulations and business standards demanding protection of critical data. It is important to keep in mind that your first brush with compliance is unlikely to be your last.
Conclusion
As you work towards compliance with a set of standards such as PCI DSS, remember that anything you create for the initial exercise you will want to be able to re-use in the future. Knowing how long a task took the first time provides a baseline for improvement in the future. In short order, your IT security audit expenses will be reduced and your IT spending will become more effective as your level of organization improves.
About the Author
Brian Lehmann, BComm/LLB CISSP, Security, Management and Infrastructure Consultant.
Brian Lehmann is a Senior IT professional with excellent people, fiscal and technical management skills. His 13 years experience in the IT/IS industry (7+ years at the management level) in both Technical and Business Systems areas have honed his specialized skills in infrastructure design and implementation, security solutions, audit preparation/assessments and policy development and integration.
Ivo Georgiev, B.Sc. CISSP, Information Security Services.
Ivo Georgiev is an internationally certified security professional with over 18 years of management and technical experience as an IT systems architect, security engineer and senior consultant in the financial, government, health and transportation sectors. Working with international companies on enterprise security management projects, privacy and security reviews and security architecture implementations has afforded him an in-depth knowledge of the complex business and technical requirements information security needs to address.