YOUR FEEDBACK
NGASI Releases AppServer Manager 8.1
Dave Jenkins wrote: The remote server management is a welcomed added feature...
May. 11, 2008 07:59 PM
SOA World Conference
Virtualization Conference
$200 Savings Expire May 16, 2008... – Register Today!
Did you read today's front page stories & breaking news?
SYS-CON.TV: Eclipse Adds SOA, AJAX, and Flex Tools. Guests Mike Milinkovich and Mike Tylor

SYS-CON.TV
SYS-CON.TV WEBCASTS
JACKBE The Big A(architecture in AJAX)
INSTANTIATIONS Eclipse Rich Internet Platform with Taylor and Milinkovich
YAHOO! Applying AJAX to Speed User's Journey
ENERJY WEBCAST Java Code Quality Management
APP SERVER SHOOT-OUT with Microsoft, IBM, JBoss, Sun, BEA, and Oracle
TODAY'S TOP SOA & WEBSERVICES LINKS


Book Excerpt
Building a Secure Corporate Environment
Viable business units can make positive contributions to the business

By: Stephen Foster
Dec. 14, 2005 02:00 PM
Digg This!

Page 1 of 4   next page »

This article is an excerpt from Larstan's The Black Book on Corporate Security. This new book is available in bookstores and the first chapter is available for free at www.theblackbooks.com. Printed with permission from Larstan Publishing, Inc. All rights reserved. Copyright 2005.

Your company needs a secure data infrastructure, but how, exactly, do you set one up from scratch? Here, a former FBI agent who now serves as an information security officer reveals the best methods for creating a system that takes control of your information.

I'm a battle-hardened veteran of DMZ skirmishes. No, I'm not talking about the "demilitarized zone" imposed between North and South Korea following the Korean War in the early 1950s. Among information security officers such as myself, a DMZ is the euphemism for a computer host or small network inserted as a neutral buffer that separates a company's private network and the outside public network. It stops outside users from obtaining direct access to a server that contains company data. As you attempt to tailor a secure network to a company's overall business strategy, crucial and sometimes controversial issues such as DMZs emerge and they must be dealt with in a forthright manner. That's why building a secure corporate environment starts with communication.

Building a new information security team is no easy task and will be fraught with many obstacles. The building effort begins during the CISO's interview process, which will provide him or her with a window into senior management's philosophy on information security. The support they provide is essential to your success (see Figure 1).

The first order of business in building any new program is the discovery phase. The CISO must get out of his office and meet other business managers face to face. Reaching out and developing a personal relationship is vital to your success. Today, too many managers rely exclusively on conference calls and e-mail. The information security team should also educate key managers within the company as to how security can partner with them to help enable their business solutions. CISOs should continually demonstrate to the business that the information security team is an integral part of the business process.

For example: Business unit XYZ requests that a risk assessment be conducted for a new DMZ they want to build. This DMZ will be used for outsourcing services to their external customers. The initial security assessment reveals numerous high-risk exposures. The business unit becomes very defensive, insisting that the security team is creating obstacles that will prevent them from being successful and meeting their deadlines. At this point some important hand-holding is definitely required. This should include detailed discussions explaining what the security team is trying to accomplish and how it will eventually enable their business goals. It should be made clear that the DMZ is going to be certified for operation and the security team is going to help them overcome any imposed security requirements. Once they understand that the security team is a full partner in the solution, attitudes will quickly change and compromises will become realities. A success story in the making.

It is imperative for anyone creating a security program to understand the needs of their internal and external customers. The CISO must understand the background and history of the company as well as each viable business unit. What are the company's products and services? What are the business environments they compete in? Who are their competitors? What are the company's strategic plans? How can information security be a value added and a market differentiator?

CISOs must also understand that the information security team does not own the computer systems, but are internal security consultants to the businesses who provide an important but supportive role. CISOs should also understand the industry their company is competing in as well as the company's proprietary products and processes. How does the company work with its customers and contractors in this industry? Many of your information systems may be dependent on these proprietary processes and the level of protection that is required. Understanding the critical assets of the company is another key goal and will drive the allocation of limited funding. Finally, you should identify industry peers that you can call on to leverage experience and ideas.

Insider Notes: It is imperative for anyone creating a security program to understand the needs of their internal and external customers. They must learn the background and history of the organization as well as each business unit.

Independent Assessment
A good way to obtain an independent view of your organization's information security posture is to conduct a full-scale security review (such as ISO- 17799) by a third-party security consultant as soon as possible. Also review prior assessments, internal IT audits, and SAS 70s for a comprehensive understanding of your company's IT security environment. By identifying the company's risk exposures and deficiencies, you can begin to develop your new information security "road map" for success.

Service Level Agreements
Another important step is to conduct a full-scale review of existing Service Level Agreements (SLA) and contracts for internal and external customers, as well as your security vendors. Ensure that they make good business sense and are in alignment with business strategies. Do your vendors provide a timely response? Are they giving your company the support it requires? Are your internal customers pleased with support from your antivirus team? When viruses impact the network, are they detected and cleaned within agreed SLA time lines?

Setting Expectations
Ensure that your organization issues a corporate-wide communication announcing the new CISOs arrival, your role, reporting structure, and support by senior management. This communication is vital to your future success.

You should also define the organizational structure for your department. This will include:

  • Develop your vision statement
  • Develop your mission statement
  • Develop your organizational chart
  • Develop function work streams to meet you goals
  • Define expected roles, responsibilities and functions
  • Define information security processes
During the CISOs interview process he or she should have negotiated the reporting structure for this new and critical role. Current industry trends support the CISO reporting to the chief legal council, chief financial officer, and/or the chief auditor. This is an important step toward maintaining independence (eGovernance) between senior IT managers, who often have different project priorities and funding requirements.

Another area for discussion is whether physical security should report to the CISO. The decision to incorporate all security into one reporting line may be simply based on the company's culture. There are many pros and cons on this subject and as such should be discussed on its own.

In essence, these are the basic building blocks required to build an information security team. Remember that your organization exists to support the business and therefore your information security team should reflect all strategic and tactical goals of the business.

Building the Security Roadmap
Once you have compiled and digested all of this information, organizational planning can begin. Again it is imperative for this plan to be in sync with the long-term business strategy of the company as well as its short-term tactical needs. Use nimbus maps, or flow-charting, but somewhere you need to get it all on paper. You should also consider hiring a project manager to coordinate and plan these activities.

Develop a program that will allow your team to demonstrate immediate progress to senior management. This can be accomplished by developing a project plan that incorporates incremental steps to achieve your goals. Hit some home runs quickly. Your "road map" should also drive the information security budget plan, ensuring that all designated priorities are properly identified and funded.

Insider Notes: No other security program will hit a home run quicker then the Information Security Awareness program. By communicating to the global user community, this program will also help you brand your new organization.

Establish Achievable Goals
Remember that your security "road map" should never advance unrealistic goals and objectives. Do not promise something you cannot deliver in order to impress your new boss. Once you lose your credibility, it will be hard to recover. Credibility is central to your continued success, especially with senior management.


Page 1 of 4   next page »

Published Dec. 14, 2005 — Reads 4,767
Copyright © 2008 SYS-CON Media. All Rights Reserved.
About Stephen Foster
Stephen W. Foster was Chief Information Security Officer at Avaya Inc. He joined Avaya after a distinguished 20-year career with the Federal Bureau of Investigation.

SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
SYS-CON FEATURED WHITEPAPERS


MOST READ THIS WEEK
Virtualization Conference Keynote Webcast Live on SYS-CON.TV
By James Hamilton
Exclusive Q&A with Simon Crosby, CTO of Citrix & Founder of XenSource
By Jeremy Geelan
Virtualization is the Future of Enterprise Computing
By Jeremy Geelan
3rd International Virtualization Conference & Expo: Themes & Topics
By Jeremy Geelan
Red Hat Named "Platinum Sponsor" of Virtualization Conference & Expo
By James Hamilton
Virtualization Journal Print Archives: Volume 2 - Issue 5, September 14, 2005
By Jack Norris
3rd International Virtualization Conference & Expo in NYC to Present a World Class Faculty
By Virtualization News Desk
5th International Virtualization Conference & Expo in London Will Be the Most Significant Virtualization Event to Date
By Virtualization News Desk
V is for Venture...and for Virtualization
By Jeremy Geelan
Dell Steals Virtualization March on HP & IBM
By Maureen O'Gara
Virtualization for Deeply Embedded Applications
By Frank Altschuler
Egenera Founder Vern Brownell to Present at SYS-CON's Virtualization Conference
By Virtualization News Desk
ADS BY GOOGLE