Must-haves for building comprehensive information security infrastructure
08.12.2015
Building a smart and effective information security infrastructure is quite a challenging task many companies cannot embrace to the full extent, which results in gaps in corporate security. You have installed an antivirus – and an employee has opened a link in a phishing email. You have set up a firewall – and a disloyal employee has emailed your Business Plan to competitors. You have implemented a DLP system – and a DDoS attack has shut your web services down. Because of the diversity of threats, companies need a comprehensive approach to the protection of information resources. Do you know what you need to envisage before implementing a DLP system into your company? The Analytical Center of Falcongaze has compiled a list of measures needed to implement the DLP-system which necessary to ensure its effective functioning and full-fledged use.
Document Management
A well-organized system of information storage and document management is an important, though often overlooked component of building information security infrastructure. Companies often do not have firm knowledge of where exactly their sensitive information resides on the network. The main objective in this situation is to gain knowledge about the location of sensitive information, its structure and access rights. It is pointless to try to protect a vague set of documents – all data should be classified and structured. These tasks are covered by various enterprise project management and DMS products. In cases, when operational convenience involves remote workforce, access to confidential data and corporate resources can be established over the Internet. The volumes of data in these situations should be minimized and the employees should connect to the resources over secure channels.
Access Rights Management
Every company is subdivided into divisions or departments, which have various levels of responsibility and competence. The bigger a company, the higher staff diversity, the more complicated corporate structure. Growth often comes with new divisions, remote offices and regional branches. It is quite obvious that each user group requires its own level of access rights, especially when dealing with confidential information. Bank accounts info and contract details are within the Accounting Department professional competence, and IT division has nothing to do with this data for sure. Accounting officers should be definitely kept away from servers and development resources. To ensure such an approach there is diverse identity management functionality available, and most of the corporate systems allow creating group policies.
Some information security products, like SecureTower by Falcongaze, provide division managers with access to information on their staff only; information security officers have access to security incidents only and cannot browse through user activities; information on financial documents, transmitted by accounting officers, can be available to the CEO solely. All components of corporate infrastructure should be tuned in a similar way: configuration of various prohibition levels on firewalls, access to documents can be easily configured in all major project management solutions, physical access is covered by access control and management systems.
Organization of SOC
Proactive strengthening and optimization of corporate information security infrastructure in face of evolving threats requires organizing a security operations center (SOC) with skilled personnel. Small and medium-sized enterprises usually lay all information security functions on IT department, and it is the wrong approach. A company should have at least one specialist who is responsible for integrity and comprehensiveness of information security system.
Web application security
It is hard to imagine a modern company which operates strictly offline and only uses its site to mark its presence on the web. There are numbers of companies which are not engaged in IT business, but they still provide auxiliary online services. Today businesses create personalized user accounts and smart applications to deliver customer satisfaction. Even big companies cannot provide safety from mistakes and breaches (recent TalkTalk incident speaks loud for that). Smaller companies with less investment into security risk even more. Even a simple news subscription web-service form can pose potential threat – customers won’t be happy if their emails suffer from spam attack. Safe operation of website and application today does not guarantee the same status tomorrow. Normal performance requires constant patching, updates, consideration of bug reports and timely response to incidents. It might be a good option to outsource these services, however a company should consider the risks mentioned below.
Outsourcing services
Access of third-party contractors and service providers to storage and processing of sensitive information should be reduced to minimum. The more parties have access to the data, the higher the risks of leakage. Cloud service providers, SaaS-services, contractors, outsourcers – “trust but verify” principle must lie in the core of any relations. Optimal performance is achievable with reasonable balance. Try to avoid extremes. For example, on certain stage there might be a situation when a company faces the choice: to host the website on the company-owned server or choose professional hosting service instead. From the one hand, full control is preferable, from the other – are you sure you can provide the same level of support as a specialized provider? There is no universal answer, but measured approach and granular analysis together with dedicated risk assessment should be definitely applied before signing up with external contractor or service provider.
Installation of updates
Timely check for updates and their correct management is critical. Unattended vulnerabilities often become the reasons for breaches. Unfortunately, the frequent scenario is that vendors first launch a product and only consider security issues after that. That is why it is recommended to pick new solutions carefully. Of course vendors perform safety checks, however it is impossible to cover all aspects in testing environment. Routers, for example, are often configured only once and operate for years without attendance then. The same situation is with software updates: according to research by Kaspersky Lab about 1% of all vulnerabilities are 10 years old.
Working with staff
According to the research by Trend Micro only a quarter of data leakage incidents result from hacking and malware. The lion’s share (accidental and intentional both) is the responsibility of employees. The stuff should be informed about the existing information security policies and well-trained with secure operations rules for the corresponding business processes. Constant monitoring of following these rules and policies by personnel is highly important. The main drive for following the policies is transparency of all work processes and clear vision of responsibility for non-compliance with corporate regulations. Introduction of Commercial Secret regime and signing non-disclosure agreements usually serve as a proof of deep mutual understanding of the concerned risks and consequences in case of intentional leakage. A well-selected information security and operational risks management tool will provide support for the corporate policy from the technical side with comprehensive control of work processes and data transfer channels.
Security Audit
Holistic assessment of the current situation with information security in a company as the initial stage of building a comprehensive information security infrastructure will most probably require involvement of external auditor. An experienced information security specialist will help to identify who works with which types of data and arrange secure access to it in the future. Another audit method is pentesting – ethical hacking and penetration tests which reveal weak points in security infrastructure. The so-called bug bounties are a smart method to test the status of security. World famous companies like Facebook, Google, Yahoo and other launched the initiative of paying bounties for discovered vulnerabilities long ago. It is clear, however, that information security system cannot be plugged once and for good – the process is permanent. Analysis and evaluation of applied tools and followed procedures should be on permanent go. Having a pair of fresh eyes on the system when doing the audit is highly recommended, that’s where involvement of third-party experts might be a good option.
What should you know about protection law in the World:
USA
In the United States, there is no single comprehensive federal (national) law regulating the collection and use of personal data. Nevertheless, each term of the Congress gives proposals for the standardization of laws at the federal level. There are about 20 sector specific or medium-specific national data protection laws, as well as hundreds of such laws among its 50 states and territories. Organizations must take the necessary steps to protect data, from unauthorized access and violations of processing policies. In some states, the minimum requirements for protection of information are also fixed at legislative level.
Asia
China
In China, there is no single system of documents for personal data protection, so requirements are scattered across a variety of documents and none of them have a clear definition of what personal data is.
South Korea
The main requirements for data protection in South Korea giving in Personal Information Protection Act (PIPA) and the Act on Promotion of Information and Communication Network Utilisation and Information Protection (IT Network Act).
Japan
In Japan, regulation takes place at the federal level by Act on the Protection of Personal Information (APPI) and at the agency level in recommendations for implementing APPI. Organizations must take the necessary steps to protect their data from unauthorized access and violations of processing policies. In addition, recommendations have been developed to provide protection at the level of individual departments. In Japan, there are no specialized requirements for the biometric protection of personal data.
Latin America
Latin American countries are trying to follow the European model of data protection law, however, they are lagging behind European and American standards. Some countries, such as Brazil, do not have a comprehensive data protection law. Other countries, such as Argentina or Chile, are outdated in this respect, considering the security of data only in general terms and without special rules requiring notification of security incidents.
European Union
The main document for personal data protection in European Union is The Data Protection Directive (EU GDPR), which was adopted in 1995. The Directive regulates processing of personal data within the European Union and it is an important component of EU privacy and human rights law. In May 2018, updated GDPR will come into force in all EU member states. The Resolution establishes duties and responsibilities for those who process personal data, prescribing the adoption of appropriate technical and organizational measures for the safe processing of information.
Building a comprehensive information security infrastructure in a company is not an immediate process. The level of protection should continuously evolve. Information leakage threats are permanently growing for any kind of business that is why the counter measures should develop accordingly. We do not claim the above listed measures as full and totally comprising but these are the ones to be covered in the first place.