Protecting your network

In dealing with the all too evident problem of network security, governance, risk and compliance has cost US companies around $29.8 billion so far this year. Arvind Benegal, general manager security services at MindTree shows how you can maximise security using GRC.

As new technologies continue to emerge and evolve, new threats, and motives behind the threats, are correspondingly evolving. From script-kiddies and hackers to cyber-terrorism and cyber-crime such as corporate espionage, there is a whole new underworld economy. It is not just the iPods and iPads that are on sale on the web, but botnets, zombies and a host of other malware that can be purchased just as easily.

AMR Research indicates that US companies have this year spent around $29.8 billion on governance, risk and compliance (GRC), and that risk management remains the top GRC motivation. Organisations worldwide continue to spend huge amounts in protecting their network, regulating their data and maintaining business viability. As each year goes by, security and compliance spend is on the rise but so are the threats and tangible and intangible losses due to those threats.

It is very clear that the underworld cyber-economy has been constantly working overtime to beat the good guys. There are many reasons for rising losses and this often leads to organisations resorting to quick-fix solutions and trying to beat the competition. One of the key reasons for these losses is that controls and procedures are not always based on sound governance and a risk management structure which spans the entire organisation.

Network security controls play a vital role in protecting an organisation. It provides the basis on which other controls, including application controls, can be built upon to maintain a more formidable security position. While it is true that GRC encompasses a whole host of initiatives, this article focuses on maximising the effectiveness of network security controls by using an approach that revolves around GRC.

Get the big picture

Knowledge about business requirements for security, privacy and compliance must percolate through all the levels of an organisation. Though the roles played by a security guard, or even a member of staff who’s at the bottom of the hierarchy may be less consequential to the mind’s eye when compared to the role of senior leadership, this could be the first weak link in the chain. Knowledge of the ‘Big Picture’ can significantly lower the likelihood of failure in controls and processes

Knowing, for example, about the organisation’s compliance requirements helps build a strong business case for network security controls, especially in the wake of proliferating regulations and customer demands. Aligning with security and compliance requirements helps justify the budget for additional network security controls, including consolidation such as using IAM, SSO, etc.

Knowledge of the big picture can also help avoid implementation of controls in silos and re-inventing the wheel. It points out the significance of collaboration among key stakeholders such as business, IT, security, risk and audit personnel and helps them to connect the dots. Better connected policies and technologies provide for greater business agility and help you stay ahead of the competition.

Regulations such as PCI DSS can certainly be used by organisations to narrow the gap between business and compliance alignment. PCI DSS helps by being more prescriptive about the control requirements. It ensures that not just security and compliance professionals but also business process owners can better connect the dots. Thus a system or firewall administrator can better understand where it will hurt them and the organisation the most and also appreciate the role from an organisation perspective. For example, knowing the network segment where card holder data resides can help you design more effective firewall and IPS policies.

Create a culture of risk, security & compliance

If people form strong links then weaknesses in technological controls and processes can be overcome. Certainly the reverse may not always be true given the fact that ‘the insider’ threat landscape is continuously expanding. Controls and processes can be weakened due to ineptitude or ignorance therefore building awareness about compliance requirements at all levels will certainly help.

Accidental violations and breaches by ‘insiders’ are, for example, costing organisations more heavily than external malicious attacks. It’s often been said that an organisation’s success is due to its employees. However, according to Corporate Combat Inc, USA employees from the entry-level customer service representative to the senior executive are costing US organisations more than $40 billion a year through theft. If fraud is included as theft, the figure rises to more than $600 billion!

Risk assessment

Articulation of business impact demands knowledge of business requirements for security, privacy and compliance. The key here is to make network security in sync with business applications.

Data classification is, for example, one of the building blocks of a successful security strategy. It provides the basis for validating risk and, depending upon business requirements for security and compliance, it helps build a case for successful implementation of IT general controls such as Information Security (IS), Business Continuity Process (BCP), Network Access Control (NAC), Data Loss Protection (DLP), and Identification & Authentication (IA).

Consult, communicate & collaborate

People are essential at every stage of the GRC journey. Success and effectiveness of GRC is heavily dependent on a common and consistent language across the organisation. It relies on consistent and timely communication and it is crucial to build the culture with executive leadership leading from the front.

Knowledge of PCI-DSS requirements can, for example, certainly help in design and testing of the controls needed for applications to protect card holder data. Many of the applications continue to be exploited more by abuse of functionalities rather than by a specific attack code.

GRC is a continuous process affected by a set of people and run by a set of policies, processes and procedures. While technology is an important ingredient of any such process, by itself it cannot meet or sustain compliance. Technology can help in automation, reducing errors, omissions and other accidental violations, and in reducing the opportunities for fraud. However technology requires people to create and maintain it and that scenario is likely to continue for a while. The rate at which insider threat rises, controls would tend become more information-centric and less people-centric.

Audit, analyse and align

Governance, risk management, security and privacy are a part of a continuous journey in any organisation’s initiatives and investments in compliance. As businesses change and develop so risk and compliance are also in a state of flux to meet the growing threat landscape.

It is interesting that web applications have become the face of organisations. In an effort to reduce overall costs and maximise productivity, organisations continue to take advantage of cutting edge technologies such as Web 2.0 services, cloud computing and virtualisation. However, increased automation, mobile workforce, the need for multiple access mechanisms, web enabled services, IT driven businesses strategies and delivery have thrown open the floodgates for new risks.

Aligning the use of these emerging technologies requires a deeper understanding of the underlying business processes that these applications support and automate. Network security controls need to be designed and built with the knowledge of the applications and the data handled by them.

In conclusion, every standard and best practice in information security stresses on the fact that the human resource is the biggest asset. It is ironic therefore that information assets are primarily required to be protected from people assets, stemming from unintentional or malicious actions. Governance, risk and compliance must look beyond technology which, in most cases, is likely to be implemented in a piece-meal fashion, given the pressures of the marketplace. GRC has a central role in governing and facilitating IT projects and aligning them with the overall business goals.

Source Link:  http://www.vital-mag.net/2010/11/protecting-your-network/