Governance Issues: Checklist for Security Management
The
purpose of security planning is to determine how to manage the various assets
in enterprises to minimize security risks. To assure that the security plan
minimizes the risks to the business, it is a good idea to adopt the following
governance practices.
Governance
Checklist (Detailed)
1.
Plan Security Management
§
Establish
a security management process.
§
Make
a staff member responsible for the overall security of the system.
§
Define
internal (organization specific) as well as external (government, industry
related) security requirements.
§
Develop
model of the system that shows the important components and their
interrelationships. The view should show the key components that are
impacted by the security requirements.
§
Identify
and evaluate risks associated with each valuable resource. This involves a
study of vulnerabilities of individual system components, and
identification of threats that could exploit the vulnerabilities.
Vulnerabilities and threats can be discussed in terms of privacy,
integrity, authentication, authorization, accountability, and availability
(abbreviated PIA4).
§
Conduct
configuration dependent risk analysis through techniques such as attack
trees. For example, a database connected to a wireless network is more
vulnerable to attacks than to an internal corporate network. An attack
tree, also known as attack graph, is simply a logical decision tree used to
perform a systematic analysis of different attack scenarios.
§
Prioritize
risks in terms of the expected loss in case of attacks.
|
2.
Define, in Detail, the Security Management Approach
§
Develop
policies that mitigate risks by stipulating consequences and transferring
risks through insurance.
§
Identify
procedures and guidelines to enforce the policies.
§
Establish
security audit and control procedures.
§
Clearly
state organizational roles and responsibilities.
§
Institute
security awareness and training programs.
§
Identify
technologies that protect the assets through encryption, password
protections, audit trails, etc. These technologies protect the important
resources by strengthening the privacy, integrity, and other PIA4 aspects.
§
Employ
other instruments such as intrusion detection systems (IDSs) and honeypots.
IDSs are designed for continuous monitoring and detection of intruders.
Honeypots are built especially to attract the intruders and keep them busy
or frustrate them with nuisances.
§
Select
mitigation strategies that are most cost effective.
|
4.
Monitor the Security Management Processes
§
Use
frequent audits to monitor compliance with policies
§
Use
frequent audits monitor compliance with governance arrangements
§
Monitor
effectiveness metrics of security management
§
For
Advanced Users; Use automated security management tools to monitor the
intrusions on the system.
§
Deploy a
solid Business Continuity Planning approach
|
3.
Enable the Security Management Process
§
Deploy network
management mechanisms and polices
§
Make
someone in-charge of enterprise security.
§
Make the
employees, managers, and customers of the security policies and procedures.
§
Deploy the
security technologies identified above.
§
Deploy and
operate audits and controls to reduce risk to the business.
§
Incorporate
people, process, and technology in mitigation solution.
§
Measure
the security risk management process for effectiveness and verify that
controls are providing the expected degree of protection.
§
Develop
risk scorecard to understand security breaches and progress.
§
Evaluate
the risk management program for weaknesses and opportunities to improve
§
For
advanced users: Use security management tools.
|
BUSINESS
CONTINUITY PLANNING:
Develop and deploy an overall business continuity and disaster recovery plan
·
Include the most critical
resources (applications, platforms, and networks) in the plan. These
resources should have been included in the management considerations for
applications, platforms and networks. Verify and expand this list.
·
Review and refine network
disaster recovery plan generated previously (network management checklist)
·
Analyze the threats and
impacts of the natural as well as man-made disasters. Use different
scenarios.
·
Identify a disaster recovery procedure
and determine how does it differ from your current system, can it handle the
workload and is it adequately documented for a disaster situation.
·
Include people and processes
in the plan. This should include phone numbers to call, desks and working
space in case of disaster, living accommodations for specialists if needed,
etc.
·
Test your disaster recovery
plan at least twice a year and upgrade the recovery procedure
accordingly. This must include the technologies, processes and people.
·
Assure that security measures
(policies, firewalls, anti-virus programs, etc) are not compromised in a
disaster situation.
·
Keep full documentation of
the plan and backups of the configuration files and critical resources at
offsite locations.
|