As we transition into what may be a bleak 2009, organizations everywhere will undoubtedly look at where they can cut costs or trim staff levels. Since IT security benefits have a mostly intangible effect on a corporation's bottom line, it is an area that, in many cases, may unfortunately be one of the first to get squeezed on budget. This is a real worry for many information security managers and staff alike, as I'm guessing security funds weren't frequently increased when times were good. In short, we're now likely to see the composition of already overstretched resources scaled back even further.
Any budget cuts, however, shouldn't lead to a drop in security awareness. As a security manager, make high-level sponsorship of information security a priority within the organization to ensure continued compliance with security policies. Managers in other departments will be under a lot of pressure to get projects completed quickly and economically, but those needs shouldn't lead to a situation where security is compromised. Disasters can be avoided by checking that the ownership, responsibility and accountability for risk are made clear in policies and job descriptions. After all, senior management is legally responsible for compliance.
So how can infosec teams best tackle the tough times ahead? One issue that needs immediate attention, particularly if redundancies are likely within the IT department, is continuity. Unless skill and succession planning are put in place, current knowledge can leave when team members do. Does more than one person know how to maintain and troubleshoot the mail server? How many administrators really know how to configure the firewall? The separation of duties is important for security, but so is the rotation of duties. It ensures you're not reliant on just one member of staff for a particular skill -- a predicament that can often occur when the team is small, or if there's a lack of younger members being identified and trained up.
Human resources security policies should be reviewed to ensure they enforce a robust employee security lifecycle, including any external temporary workers, consultants and contractors. HR and IT departments must work closely when colleagues face changes of circumstance to ensure that access to IT resources and facilities always accurately reflects an employee's status and job function. For instance, procedures to ensure the return of swipe cards and ID badges are commonplace when an employee leaves an organization, but there are often gaps in managing logical security, such as the timely closing of a network account.
Merging physical and logical IT security teams
One way to improve overall security management without spending more is by merging the physical and logical security teams. With limited resources, it has always been difficult to enforce compliance at the desktop, given the nature of Post-it note passwords, unsecured laptops or USB keys and the like.
Why not make more use of the physical security teams who already patrol your office buildings and facilities? They can be easily trained to look for information security policy violations, such as cleared desks or properly secured server rooms, while on patrol and report back on any violations. Equipping night patrols with wireless detection devices, which cost a few hundred dollars at most, would enable them to look for rogue routers. Such steps would provide almost daily security compliance reviews. Employees would quickly become aware that the IT security team has a physical as well as a logical presence. The message could be reinforced by compulsory awareness training for violators. This approach gives real protection at a relatively low cost.
By working more closely with the physical security staff, the infosec team can also maximize the security potential of both sets of systems, protecting real and logical assets. For example, staff from many organizations may be required to carry an ID card. If the cards were also used for single sign-on, they would provide a centralized means to establish and enforce access policies for physical and logical resources using two-factor authentication. The two teams responsible for security can complement and reinforce each other's work and achieve better compliance with many policies and regulations, which is a worthwhile goal in its own right.
In 2009, every organization is going to be focused on being smarter, leaner and cheaper, so security is not going to be a top priority. It is important that infosec teams understand this, otherwise they are doomed to frustration and failure. However, by using the changes that inevitably occur during downsizing and restructures, there are many ways in which the importance of information security can be communicated. Change provides an opportunity to embed security into new business processes and a chance to eliminate a culture that allows people to bypass or omit it.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in January 2009