During my 18-year career providing information security services to a wide variety of organizations, I've seen...
many that do information security well -- by correctly identifying and prioritizing risks, appropriately protecting critical data and promptly mitigating security gaps -- and many that do not.
Organizations that have good security habits ("secure organizations") share certain traits that are lacking in organizations that don't do information security well ("insecure organizations").
In this tip, we'll look at the top 10 traits of secure organizations.
Top 10 good security habits of secure organizations
1. At secure organizations, information security is supported by senior management. Support includes making resources and budget available for information security, as well as clear statements by senior management that information security is a priority for the organization. Since senior managers establish priorities and set the tone for an organization, it is difficult to be a secure organization without their clear and consistent support. As a result of the recent spate of high-profile security breaches, most senior managers now understand the importance of information security and will support information security efforts.
2. Secure organizations regularly identify and document how sensitive data --customer and/or proprietary -- flows in, through and out of the organization. This enables an organization to focus its time, effort and money on protecting its sensitive data. Conversely, it's difficult for an organization to protect what it doesn't know about, and organizations struggle to protect their data if they don't perform this exercise.
3. Secure organizations create and maintain a formal, documented inventory of all systems that process, transmit or store sensitive data -- including the operating system, if it's physical or virtualized, and what major applications have been installed. Without such an inventory, an organization can't fully understand what systems it must protect. Having such an inventory allows an organization to quickly determine whether a particular security vulnerability is relevant to the organization's systems.
4. Secure organizations segment sensitive systems from non-sensitive systems through jump servers, firewall rules, router ACLs or switch VLANs. This minimizes the attack surface for an organization's sensitive systems and allows access to the systems to be tightly controlled and logged.
5. Secure organizations have a strong change-control process that is rigorously enforced. Changes, including emergency changes, are fully documented then formally reviewed and approved. Unapproved changes can lead to security vulnerabilities that nobody knows about until there's a breach.
6. Secure organizations have a strong configuration management process. Sensitive systems are hardened and built only with necessary functionality via an automated build process or a managed configuration software tool such as Puppet or Chef. After the initial build, configuration software tools, which regularly check the configuration of systems, are used to ensure systems stay hardened or strong change control is used to maintain system configuration and prevent server creep.
7. Secure organizations store as little sensitive information as possible on their systems. Sensitive information that must be kept for business or legal reasons is stored on as few systems as possible per a formal, documented data retention policy and is securely deleted when no longer needed. All stored sensitive information is regularly reviewed and justified.
8. Secure organizations strongly encrypt stored and transmitted sensitive data and have robust encryption key management procedures and processes. Correctly implemented and managed, strongly encrypted data is essentially "uncrackable" and not usable by an attacker.
9. Secure organizations consistently collect and review logs from their sensitive systems. Scripts or automated processes are used to search collected logs for pre-defined events, such as a when new accounts are added. When such events are detected, an alert is sent to the appropriate employee(s) who then investigates the event.
10. Secure organizations regularly test their sensitive systems for vulnerabilities via vulnerability scans or penetration tests. Done correctly and regularly, such tests provide "real world" confirmation that an organization's security controls are working. If an organization is not testing its defenses, hackers will likely do the testing -- and they won't report the results.
The above 10 good security habits can make -- and keep -- an organization secure. With careful planning and design, the traits can become part of the organization without having to purchase or implement fancy, expensive technology.
About the author:
Steven Weil, CISSP, CISA, CISM, CRISC, QSA, is an independent security consultant. He has 18 years of experience in information security design, implementation and assessment. He has provided information security services to a wide variety of organizations including government agencies, hospitals, universities, small businesses and large enterprises.
What security products do enterprises use and love? Find out from our 2014 Security Readers' Choice Awards.