Posted by: adelvecchio
administrative security, information security
This is part four of a four-part series of posts where I look at perimeter security, network security, host security, and finally administrative security as distinct elements in an overall information security architecture and the best way to evaluate the current state of each.
A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. Previously I examined perimeter, network, and host security. As part of that evaluation, I also examined how to address perimeter security in an ever-changing technical environment. I also covered how to use tools and technology to provide mitigative controls to guard access to networked assets as well as hosts that live in the networked environment.
The final step in evaluating an enterprise security architecture is the envelope that seals everything together — the administrative elements of an information security program. Technical administrative security has roots in compliance with regulatory requirements, but regulations typically set a minimal compliance standard. Technical information security policies and procedures go into far greater detail and set a much higher bar.
The intent of establishing technical information security policies and procedures is to clearly communicate the organization’s risk management expectations. When we assess an organization we typically look for defined policies and procedures that address:
- Provisioning of users (both normal and privileged)
- When strong authentication is needed/required
- Whether there are requirements within the organization for separation of duties
- The enterprise data backup strategy and life cycle
- Media/workstation build/reuse/disposal procedures
- Business continuity and disaster recovery procedures
- Mobile device management and control procedures
- Administrative requirements around authentication/authorization/and auditing (AAA)
- Patch management process (for workstations, servers, and other gear)
- Configuration management procedures
- Change control process
- Approval and communication process for policies and procedures
Presuming security information is properly disseminated to the workforce and that there’s a means through which employees can refer to the existing security rules (e.g. intranet or printed notebooks), it is interesting to note that nearly all systemic technical security gaps can be traced back to a lack of proper policy or supporting procedure that clearly defines an organization’s expectations. Properly documenting the risk management expectations of the organization into a cogent set of rules, combined with a strong perimeter definition and defense mechanisms is part of a base information security plan. Those steps along with a segmented and access-controlled network architecture, and hosts built with an eye on security provide a strong foundation on which an overall information security program (including the security architecture) can be built.
Once the foundation is built, security awareness programs can help garner employee mindshare in the information security process. Regular third party audits/assessments can help determine how effective the program is as well as provide valuable trending data that shows the maturity of the program over time. In our experience this is the best way to help secure a continued budget for the overall program since it’s otherwise very challenging to demonstrate return on investment for information security architecture expenditures.