Key Elements of Effective Security Planning
By Rickie K Helmer, CEO and ISO/IEC 27001 ISMS expert, NetQuest
Most of us are aware of the fact that security threats of all kinds challenge us once we venture onto the internet, whether we are using it privately or through our daily work.
When journeying into new ventures of investment in new technology, we therefore need to consider the impact security issues may cause, to hinder or disrupt the use of our investment, as the slightest security issue upon launch and daily operations leaves the technology vulnerable and open to not only loss of proprietary data, but also company reputation.
“The datacenter should, as a minimum, have multiple secured physical access points, power and cooling systems, offering the necessary redundancy, besides 24/7 video surveillance and alarm systems”
Companies thus need to think twice when they decide to invest in Statistical Analysis Software solutions, as the needed amount of total resources requires not only a significant cost of thousands of dollars, but also hundreds of hours of work for development and implementation. Not forgetting the constant improvement and maintenance once everything goes into production.
Instead of rushing into investment of new technology, mainly because of an organizational need for analyzing data and bringing forth answers to certain immediate questions, a suggestion of strategic planning and preparation is what most CIO and CTOs should bring forth to the people who are eager to have the new technology available “here and now”.
The reason for this is to ensure that the solution not only provides the requested needs of the organization, but also continues to do so day after day, based on a robust and secure operational environment.
Now, having said that, then we need to look at the broader picture of a Statistical Analysis Software solution, which consists not only of the application itself, but also infrastructure solutions such as a datacenter, physical and virtual hardware, including the network infrastructure and security devices here upon.
To protect the investment best possible, it is necessary for each layer to be secured and remain so. Below is an overview of the aspects that are need to be tended by the different people implementing, running, and maintaining the solution.
The datacenter should, as a minimum, have multiple secured physical access points, power and cooling systems, offering the necessary redundancy, besides 24/7 video surveillance and alarm systems. All these systems should be tested on a regular basis and at best be supported by an Information Security Management System (ISMS) audit certificate, either at SSAE16, ISEA 3402 or an ISO/IEC 27001 ISMS level.
Not that an ISMS certificate from and auditor is proof of that everything is kept at a flawless operational level, but to ensure that the documentation and necessary tests are conducted according to “best practice” in the industry.
When investing in a costly statistical analysis software solution, the infrastructure requirements should at minimum offer redundancy for all aspects of network infrastructure, firewalls, power supplies and disc storage arrays. This can be obtained by either building a private cloud or making use of a cloud service that supports both datacenter and infrastructure requirements.
However, once making use of a cloud solution provider for datacenter and infrastructure services, numerous things should be taken into consideration by the CIO, as it is just as important to verify the security of using cloud as running the entire solution yourself.
Whether making use of a private or public cloud solution, the network infrastructure in each instance should actively protect the investment by offering the organization a continuous active defense against attacks from the Internet in form of Distributed Denial of Service (DDoS), IP filtering in both routers and firewalls, based on active monitoring and logging of all incidents.
As with the datacenter requirements, the infrastructure should also be certified by an ISMS auditor, which most likely will be part of the same certification, should an organization choose to make use of a cloud service provider supporting both datacenter and infrastructure requirements.
The statistical analysis software solution will need to be placed on servers running the latest stable version of a recommended operating system, with file- , database and web servers in combination, all supporting the solution to operate correctly.
Each and every part of the setup, from operating system and up, needs to be constantly maintained and updated to the latest stable version level, besides constantly being monitored by anti-spoof, and antivirus protection software.
Furthermore, any and all Internet faced servers, and the servers supporting these, need to be constantly hardened with the newest security settings, such as shutting down unnecessary services and web server functions, which in most cases should be shut down permanently instead of being set to manual startup.
Finally yet importantly, most professional organizations today make use of an Internet faced security scanning service outside of the organization, that frequently scans and reports on the entire solution for possible security issues that need immediate attention.
The Statistical Analysis Software Solution
The Statistical Analysis Software solution itself will need to be maintained and updated with the latest patches and service packs, which should ensure that the latest hostile takeover attempts can be avoided, as it keeps the solution lean and mean, thus free from SQL injection attacks.
However, this will most likely require that the organization signs a service agreement with the solution provider, which is common for all software today.
As so many considerations are needed to ensure a robust, stable, and secure solution of any kind, my suggestion to any organization is to take some time out to plan their implementation based on the future, and not just present needs.
This is exactly what you will hear from most people involved, when taking a look at most professional project management methods used for implementing an Information Security Management System.
Everyone will probably agree that in the long run it is much more cost-effective to invest the time “here and now” to secure the future, than later once the solution is already in operation.