How Do I Secure My Information Technology (IT) Environment?
The answer is: "it must be based upon the same prudent business practices that applied to earlier manual systems (prior to IT); careful definition of individual responsibilities, separation of controls, maintenance of audit trails, protection of vital records, and access to information limited, based on "need-to-know"."
The actual recipe consists of just (2) fundamental ingredients: IT Policy and Information Security Awareness.
Let's take a look at the first ingredient... IT Policy. In another issue we provided our definition of Information Protection. Let's do it again quickly here from an auditors perspective so you comprehend the scope of everything that we suggest falls under the "umbrella" of Information Security.
It is based on the three sides of a triangle where the three triangle legs consist of: Information Security, Business Continuity, and IT Compliance. Each one of these legs / sides can be broken down / defined as follows:
The Information Security leg consists of confidentiality and integrity. Confidentiality ensures that company / customer information is not disclosed to anyone who is not authorized to access it. Linked to this concept is the idea of need-to-know, authorizing access only to those who can demonstrate a legitimate business need for the information. Integrity ensures that information cannot be accidentally or intentionally modified or destroyed.
The Business Continuity leg consists of mitigation, crisis management, and contingency management. Mitigation deals with reducing or eliminating risks. Crisis management deals with the planning and training of people for the survival of the business team and the business entity following a disaster. Contingency management deals with planning for the recovery and continuation of critical internal and customer business functions following a service interruption, and the testing of business recovery plans. This segment has also been known as availability in the past, but the scope is much broader today.
Finally, the IT Compliance leg consists of sound business practices that do not fall within the scope of the other two legs. Included in the scope of the IT Compliance leg is adherence to the laws and ethics that govern us, i.e., copyright infringement, software licensing, export compliance, etc. These are controls, laws, or ethics principles, and are exactly what auditors look for, which is why the leg is called IT Compliance (being able to pass a stringent audit because the business is controlled, information is adequately protected, and laws are not being violated).
Published high-level IT Policy must touch on each of these major components in order for the security policy of the IT environment to be all encompassing. Following the high-level definition you need statements that specifically address in detail, the requirements (how the organization is to accomplish the high-level definition). Finally, to make it all happen, you need to implement controls, standards, procedures, and mechanisms to support the policy.
The second ingredient, Information Security Awareness, can be understood better when looked at in the following way:
One of the primary corporate obligations is to protect Corporate Information, and Customer Information of which they are the custodians. Every employee must understand the corporation's concern with Information Security. It is management's responsibility to ensure that ALL personnel are made aware of pertinent practices, and the requirement to understand and heed them.
Both federal and state regulations exist, which relate to control of, and authorized access to, information and computer resources:• The Foreign Corrupt Practices Act (FCPA) of 1977 made most corporate managers and directors personally liable for assuring that "transactions are properly authorized, transactions are properly recorded, and access to assets is properly controlled". The Act also requires management to provide shareholders with reasonable assurances that accurate books and records are properly maintained, and that the business is adequately controlled.
• The Copyright Act of 1976 reaffirmed that computer programs and software are protected under the Federal Copyright Law. One must read and understand licensing agreements before attempting to make copies of programs or documentation.
• All of the United States have enacted Computer Crime Laws which establish specific penalties for unauthorized persons attempting to access a computer system, or assisting someone in gaining unauthorized access to a computer system.
We've made it look pretty simple with just a few paragraphs of information. These are probably the two most important ingredients, but behind the scenes there are a lot of items to be addressed, and a ton-of-work to be done to accomplish the objective of securing an IT environment.
For more information regarding why you need to make Information Security Awareness a priority in your organization: click here.