日期 : 2015年9月7日
機構 : 國際信息系統安全認證協會 (ISC)2
作者 : 符傳威
According to the 2015 (ISC)² Global Information Security Workforce Study, 62 percent of nearly 14,000 respondents believe that their organizations have too few information security professionals. Signs of strain within security operations due to the workforce shortage are materializing while companies and organizations are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyberattacks. The strategies of investing in security technologies, personnel and outsourcing will be insufficient to materially reduce the workforce shortage instantly. An expansion of security awareness and accountability throughout the organization is required. A more impactful approach is to embed real security accountability into other departments; and for the IT and security departments to function more collaboratively. Solving the problem will not just require the orchestration of information security leaders, but all cyber-enabled organizations to elevate the level of importance and ownership of security amongst all employees. Here are some key security essentials that everyone at a business operations should observe.
1. Asset Security — protect the company jewels
Every company has information that it considers to be crown jewels. Perhaps it’s scientific and technical data or documents regarding possible mergers and acquisitions, or clients’ non-public financial information. This is why we must address the policies and processes around the collection, handling and protection of information throughout its lifecycle. Each enterprise should carry out an inventory, with the critical data getting special treatment. Each priority item should be guarded, tracked and encrypted as if the company’s survival hinged on it. In some cases, it may. The concepts, principles, structures and standards used to monitor and secure assets is crucial to the enforcement of various levels of confidentiality, integrity and availability.
2. Security and Risk Management — build a risk-aware culture
The idea is elementary. Every person within an organization can infect it; whether it’s from clicking a dubious attachment or failing to install a security patch on a smart phone. So the effort to create a secure enterprise must include everyone. Building a risk-aware culture involves setting out the risks and goals, and then spreading the word throughout the entire company. But the important change is cultural. Think of the knee-jerk reaction — the horror — that many experience if they see a parent yammering on a cell phone while a child runs into the street. The information security leaders who try to nurture risk-aware cultures should have a broad spectrum understanding of general information security and risk management topics, beginning with the fundamental security principles of confidentiality, availability and integrity.
3. Software Development Security — embed security in design
Imagine if the auto companies manufactured their cars without seat belts or airbags, and then added them later, following scares or accidents. It would be both senseless and outrageously expensive. Similarly, one of the biggest vulnerabilities in information systems — and wastes of money — comes from implementing services first, and then adding security on as an afterthought. The only solution is to build in security from beginning, and to carry out regular automated tests to track compliance. This also saves money. If it costs an extra $60 to build a security feature into an application, it may cost up to 100 times as much — $6,000 — to add it later.
4. Communication and Network Security — establish secure communication channels
Consider urban crime. Policing would be far easier if every vehicle in a city carried a unique radio tag and traveled only along a handful of thoroughfares, each of them lined with sensors. The same is true of data. Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware. Cybercriminals are constantly probing for weaknesses. Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must not be left up to individuals or autonomous groups. They must all be subject to centralized management and enforcement. And the streams of data within an enterprise have to be classified, each one with its own risk profile and routed solely to its circle of users. Securing the workforce means vanquishing chaos and replacing it with confidence.
5. Identity and Access Management — track who’s who
Say a contractor gets hired full time. Six months pass and he/she gets a promotion. A year later, a competitor swoops in and hires him/her. How does the system treat that person over time? It must first give him/her limited access to data, then open more doors before finally cutting him/her off. This is managing the identity lifecycle. It’s vital. Companies that mismanage it are operating in the dark and could be vulnerable to intrusions. This risk can be addressed by implementing meticulous systems to identify the people, manage their permissions and revoke them as soon as they depart.
6. Security Assessment and Testing — patrol the neighborhood
Say a contractor needs access to the system. How do you make sure he/she has the right passwords? Leave them on a notepad? Send them on a text message? Such improvisation has risk. An enterprise’s culture of security must extend beyond company walls to establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago. And the logic is the same: Security, like excellence, should be infused in the entire ecosystem. The ruinous effects of carelessness in one company can convulse entire sectors of society.
7. Security Operations — manage incidents and respond
Say that two similar security incidents take place: One in Brazil, the other in Pittsburgh. They may be related. But without the security intelligence needed to link them, an important pattern — one that could indicate a potential incident — may go unnoticed. A company-wide effort to implement intelligent analytics and automated response capabilities is essential. Creating an automated and unified system will enable an enterprise to monitor its operations — and respond quickly.
8. Security Engineering — access and mitigate vulnerabilities
It happens all the time. People stick with old software programs because they know them, and they’re comfortable. But managing updates on a hodgepodge of software can be next to impossible. Additionally, software companies sometimes stop making patches for old programs. Cyber criminals know this all too well. In a secure system, administrators can keep track of every program that’s running, be confident that it’s current, and have a comprehensive system in place to install updates and patches as they’re released. Balance managing risk and enabling innovation. The administrator and/or security leaders should know the practice of building information systems and related architecture that continue to deliver the required functionality in the face of threats that may be caused by malicious acts, human error, hardware failure and natural disasters.