Enlist a phased, proactive roadmap

March 13, 2007

These extreme scenarios are both irrational and impractical. Most of us regularly wrestle between providing functionality to users and protecting the company's assets. Given the limited budget to implement IT security, one can take a phased, pro-active approach to address it holistically.

Identify your gaps
This is your first step toward developing a security roadmap for the next two years. This will involve knowing what you have and what you don't.

List the main options to fill those gaps:  
Do not go into an exhaustive market survey of vendors and their offerings and then adopt their solutions. Rather, approach it from a technology and process angle and clearly delineate your high-level requirements.

Prioritize those options and sketch them over a two-year period. Given the funding reality of most organizations, having a plan, allocating a budget and implementing them in a phased approach generally ensures that projects are fully implemented and remain within the budget.

Assign budgetary value to priorities
This will include a general market survey of the major vendors and their various offerings. Since you have not developed a full RFQ [request for quotation] yet, with a detailed list of requirements and deliverables, this will be a high-level figure.

Sell your plan to management:  
Once you have a two-year roadmap, the next challenge is to sell it to management. Key to success will be to present a convincing business case justification where your IT security expenditure targets are aligned with the overall business goals of the company. If you cannot demonstrate this persuasively, your plan will only be partially, if at all, funded.

Implement and audit:  
Follow standard IT project management principles to implement and then perform regular audits to gauge the overall IT security posture of the company.

Communicate:  
Constantly educating your users on pros and cons will enhance security awareness. Remember, human beings are generally the weakest link. Have a dedicated campaign to educate them. Equally important is to show a return on investment to management. Given that this approach will be taken again next year, it is very important for you to show progress, demonstrate tangible returns on overall security and then present the subsequent plan.

Most organizations have the necessary boundary devices to segregate external, DMZ and internal resources. Beyond that, however, there may be several gaps.

Just because you don't know about an issue right away, does not mean those company assets/information have not been compromised. It will certainly have an impact on either employee productivity time, company brand value and/or company's intellectual property rights.

Most organizations do have an enterprise anti-virus system and a patch management process, yet they continue to struggle to attain 100 percent compliance. Many are susceptible to virus and vulnerability due to incomplete anti-virus and patch management techniques and procedures.

With the preponderance of proxy avoidance servers on the internet, internal users may be knowingly/unknowingly downloading malware into the enterprise. Couple this with the fact that any guest can connect into your LAN using a laptop, enforcing vulnerability management policies becomes difficult.

With a confluence of installations, user rights and privileges are managed across a variety of platforms. This leads to irregular identity management practices, not just for company employees, but also for contractors and extranet partners.

Given that there is a finite budget, time and personnel to implement and maintain a secure posture, prioritizing will depend on a variety of factors. Instead of reacting to vendor offerings, seasoned security practitioners develop a security roadmap for their company and maintain it as a living document to adjust to tech advancs.

- Mirza Baig is an associate vice president at Infosys.

prestitial ad