This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."
Download it now to read this article plus other related content.
Offloading to Operations
With more focus on risk management, security managers are offloading duties in other areas. Operational teams like network, application and server administrators remain the most logical place for security duties like firewall maintenance, IDS management and safe server configurations.
"We guide our network team and approve security actions that they implement," says John Kramer, information security manager at the University of Pennsylvania Medical Center. "Local understanding always outweighs corporate-level decision making lest the users get impacted by broad-brush decisions that are not viewed from a local business-needs perspective."
|How Are Things Going?|
"Security can only be adequately interpreted at the local level to be most accommodating to the users and their business needs," Kramer says. "Centrally, we cannot do justice to these disparate and specific local needs. We provide the high-level direction, and they interpret and implement local solutions that best meet the needs of both the central direction and the local quirks."
The integration of risk into the security operation is an offshoot of the need to comply with regulations. For most public companies, complying with SOX, HIPAA, GLBA and other industry-specific regulations is an ongoing initiative. As the routines are ingrained in everyday operations, confidence grows that the compliance challenge will lessen.
ConAgra Foods, for example, has created a homegrown risk-assessment methodology called the System Security Plan, based on NIST Special Publication SP-800-30 and the Microsoft Security Risk Management Guide. New systems or applications must adhere to the plan before it's put into production. The plan has three components that describe the new system and any risks associated with that system, and a 10-point checklist that determines its compliance with policy.
While 72 percent of respondents said they'll be spending more time and money on compliance-related activities in 2006, Woerner says ConAgra's initial push is over.
"The cost for compliance is dropping as it becomes a regular activity," Woerner says. "Now that the processes and procedures are in place, there are fewer costs involved. Most of the expense is on outside auditors to attest compliance."
This was first published in December 2005