Press the Key for Security...

Wouldn't it be great if it were that simple to control security on your system! However, we all know that taming the security monster is a precise and detailed process. IT departments have their hands full trying to develop a security policy as they strive to reduce the risk profile of a business and fend off both internal and external threats.

What's the Plan?

So how do they do it? Where can they start?

There are numerous websites out there, chock full of information on how to develop a plan. Many of them also include templates to help you begin your security plan journey. A well thought out plan for distribution, monitoring and evaluation turns a good technology plan into a great technology plan. 

 

Here are some basic steps for developing your security plan:

• Plan - Select a well-rounded Technology Committee and develop a realistic time line for the development of the Technology Plan.
• Mission Statement - Create an information technology mission statement and align it with the goals of your organization.
• Analyze - Analyze your current data, security policies and infrastructure. Determine your current threats, attacks and legal issues.
• Risks - Evaluate risks and threats to your organization.
• Design - Create your security blueprint and evaluate technology to support it, implement key policies and perform a feasibility analysis. Agree on a final design.
• Implement - Test and implement security solutions. Evaluate any personnel issues, conduct training and educate users. Present to management for approval.
• Maintain - Focus your organizational efforts on maintenance through monitoring, planning, reviewing, constantly updating and responding to changing threats.
• Enforce  - Without enforcing the policies - they will be useless.
• Educate - Keep all users educated and communicate all phases of your plan.

Policy is the cornerstone of an effective organization. It serves as a road map that every person in the organization can use in a variety of ways. In today's technology connected world - it is imperitive that organizations and individuals incorporate security management into their IT practices.

"Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target." — Paul Herbka

Here are some links to a few sites I found useful in my research for developing security plans:
IBM
Rutgers Information Technology
SANS

BACKUP - It's Gonna Blow!

You always back up your important documents right? You diligently save everything to your corporate network, feeling secure in the backups being performed. But do you know if those backups are ever being restored to test them? Do you save really important files to an external drive like a flash drive and are the company backups being kept off-site? From hurricanes to simple power outages - disasters, unpredictable by nature, can strike anywhere at any time with little or no warning. Is your company prepared?

Disaster Recovery and Business Continuity - these are two phrases that are often uttered after a system crashes or becomes incapacitated. Disaster Recovery Planning is the factor that makes the critical difference between the organizations that can successfully manage crises with minimal cost and effort and maximum speed, and those that are left picking up the pieces. A Business Continuity Plan will help a business stay in business during a crisis. 

In order to stay competitive, today's business needs to have a strategy in place to avert and minimize harm from disasters. In using technology to increase business - a company is also placing much of their core practices at the mercy of that same technology.

Here are some simple steps a company can take to create a business continuity plan:

• Establish a business case for Risk Mitigation
• Follow a process:
• To Minimize the business impact
• To address Human Safety
• To mitigate corporate liability
• To meet regulatory requirements
• To protect the organization's public image
• Build and train the team(s)
• Create a business impact analysis - you might create a chart where you assign each business function a rating.
• Evaluate external resources
• Build a crisis communication plan

A good Disaster Recovery Plan will also be needed to mitigate the effects of a disaster. There are all types of documents available to help you design a plan but here are a few points to consider:

• Develop goals
• Identify key personnel
• Identify key points of failure
• Prepare a plan and procedures to support the plan
• Communicate the plan
• TEST and refine the plan
• Make sure you test the plan periodically

Don't end up with sticky notes all over - create a plan!

Here are some sites with useful information on disaster recovery and business continuity planning:

Business Continuity Disaster Recovery Plan Steps, Examples or Scenarios

CSO - Business Continuity and Disaster Recovery

Shhhhh....Don't tell anyone!

Big Brother is definitely watching every move you make even if they are trying to keep it a secret. It's been recently reported that the National Security Agency (NSA) has been able to thwart internet security by using supercomputers, technical sleight of hand, court orders and behind-the-scenes persuasion. Some of the encryption they have cracked is used to protect banking, global commerce and even medical records. While they might have our "best interests" at heart – has the government gone too far in the quest to keep us secure?

In an effort to alleviate consumer concerns about privacy, Google, Microsoft, Yahoo and Facebook have each filed suit to ask the government for permission to reveal information about the number and types of national security requests for user data that the companies receive. In doing so, the companies are hoping to bring some transparency to this secretive government process. They want to ensure their users that their data has some form of protection against unwarranted searches.


http://www.nytimes.com/interactive/2013/06/17/technology/company-data-requests.html

What protections are being done to ensure the safety of the information being "reviewed" by the NSA? According to an article in the New York Times, the 2013 NSA budget requests “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” – this will make it even easier for them to eavesdrop. One main problem seen in the technical community is that once you open a backdoor (in the interest of security) – you are also opening that back door to unethical hackers who could use it for malicious activity. If someone found a way to access this so-called confidential information about the NSA, then it is suffice to say that any information held by and reviewed by the NSA is vulnerable.

Remember the next time you are browsing that web site - someone might be watching!

Here are some links with more information on this topic:

NSA Foils Internet Encryption
NSA Defeats Many Encryption Efforts
National Security Agency


One Billion Served!

 


One billion-that's not how many have been served at McDonalds - instead it represents the number of smartphone and tablet owners. That number will undoubtedly keep growing and along with it will be the opportunity for security threats from outside sources. What steps are being done to help the consumer protect themselves from these types of threats and what can we do to help make our mobile devices more secure?

O/S vendors do seem to be taking notice and have been beefing up their systems with better security measures. Android, Blackberry, Apple, and Windows have all recently released new O/S versions containing stricter security controls.

Some of the enhancements include:

·         Windows 8 - increased password security

·         Android –heightened built-in security defaults

·         Blackberry – data encryption

·         Apple – built in cloud based password manager

Here is a security comparison of the various systems:
 

 

While it's important for vendors to start taking responsibility for developing more secure systems, consumers also need to be accountable for protecting their own information.

Some ways you can avoid a security intrusion are:

·         Frequently change your password and use a strong password (numbers, capitals, special characters) whenever possible.

·         Disable Bluetooth mode when not in use

·         Disable automatic WI-FI connections

·         Only install trusted apps

·         Keep your O/S updated

By arming yourself with the knowledge of how to implement protection measures and taking the above few simple steps; you can help ease some of the security threat concerns you might encounter. Doing nothing is not an option because with a billion mobile devices, there are plenty of opportunites for hackers to wreck havoc on your system.

Visit these sites for more information on this topic:

http://mobappsectriathlon.blogspot.com/2013/03/what-canshould-mobile-os-vendors-do-to.html

http://www.techfruit.com/2013/07/31/how-secure-are-the-various-mobile-operating-systems/

http://searchconsumerization.techtarget.com/tip/Comparing-mobile-operating-systems-manageability-and-security