Thursday, January 15, 2009

Information Security: How Does Your Organization Fail?

Welcome ISC readers! While you're here, you may find our other articles on the security mentality interesting:

Our original article:

How does your organization fail at information security? The ISC's Lenny Zeltser breaks down many of the common failures in information security organizations - many of these are familiar.

A few of my favorites, with some commentary:
  • Create security policies you cannot enforce. Or enforce security policies that make no sense, or are so egregiously bad that even your own security staff won't follow them.
  • Assume that being compliant means you're secure. This is particularly common in organizations that have recently implemented PCI-DSS security requirements.
  • Hide from the auditors - or better, provide incomplete information, or simply don't provide information at all!
  • Let your anti-virus, IDS, and other security tools run on "auto-pilot." A common trap for understaffed organizations that do have funding for hardware or software is to buy solutions, but to then discover that they don't have enough time to maintain them. Increasing the number of security solutions, but not the time allocated to maintenance is a deadly trap for security.
  • Make someone responsible for managing risk, but don't give the person any power to make decisions. This often makes system administrators unhappy - they're told that they're responsible for the systems and their security, but are told that they must provide any services that their clients desire. They're left with all of the responsibility, and none of the rights.
  • Assume you don't have to worry about security, because your company is too small or insignificant. One of the worst threats I've seen to smaller organizations, or those with data that they perceive as unimportant. I ask "The question is not 'is your data important to them', it is 'Is your data important to you?'. If it isn't, then why are you in business, or why do you keep it?
  • And finally, Dr. No syndrome: "Say "no" whenever asked to approve a request." One of the fastest ways to fail is to be seen as a hindrance, rather than a partner. Yes, information security must know how to say no, but no is not the default answer.
As organizations mature, the mistakes they make tend to change. As policies and procedures become more ingrained, the mistakes made due to lack of knowledge or worries about security are likely to develop into issues with complexity, familiarity, or organizational habit.

1 comment:

james said...

One of the primary causes of security breaches is the emphasis by organizations on convenience over security. While numerous cases of security breaches and leakage of sensitive information occur on a regular basis, many organizations still treat information security as a compliance measure. Organizations must provide security administrators with enough resources to streamline the security infrastructure. I agree with David that responsibility without authority will not result in secured networks, systems and databases. Organizations must be proactive in dealing with threats in the IT environment. Proper enforcement of security policies, regular software updates, user awareness, access controls and encouraging training in security certifications such as ceh can help in securing the IT infrastructure.