June 27, 2003 - - Volume 2, Number 6

Implement Security Best Practices With This 6-Step Program

Everybody wants to protect their network from the security threats that swarm across the Internet. But the field of network security is complex, technically arcane, and, to many people, overwhelming and intimidating. What can the owner of a small or mid-sized business do? What steps should he take? Where should he start?

One of the best places to start is with the recognition that everybody who comes into contact with your network, principally your employees, is a potential source of security breakdown. It's not likely (although it's also not impossible) that your employees are malicious and want to harm you. But it is certainly possible that they can cause damage inadvertently through well-intended but misguided use of your network. No matter what other security measures you put in place, your people still represent a major potential security weakness.

What can you do to protect yourself from this weakness? You can insist that everyone who uses your network follow security best practices. And beyond insisting, you can and should provide appropriate guidance and assistance so that everyone understands what best practices are and how to employ them.

“Best Practices”. WOW! Sounds impressive. Makes you want to run out and hire a consultant to tell what all the best practices are. But the truth is that there is no single set of practices that are best for everyone. You must figure out what security practices are best for you in your situation at the present time. That may sound like a daunting task, but it need not be.

When we help clients implement a security best practices program, we follow a 6-step process. We begin at a fairly abstract level and work our way forward until we have implemented a program of assisting all of the network users in following best practices. The six steps are:

1. Identify general areas of security concern
2. Develop an explicit policy for each area
3. Embody each policy in one or more procedures
4. Create training materials based on procedures
5. Implement a formal training program
6. Implement a monitoring and control mechanism

Let's examine each of these 6 steps in turn.

1. Identify general areas of security concern
List all of the broad areas where inappropriate behavior might lead to a breach of security. Such areas might include, for example, User Authentication, Passwords, and Virus Protection, among others. The list should be universal in nature, that is, it should be sufficiently general that it would be useful to any organization of any size. It should be exhaustive, as well: as nearly as possible, it should list every area that might possibly be of concern to a company, even if it is not of concern at the moment. There are perhaps 25 or 30 such general areas.

2. Develop an explicit policy for each area
The list of areas of security concern, developed in Step 1, is of universal applicability: it is useful to all organizations over a long period of time. But each policy itself is less general and more specific to the individual organization and its time and place. A policy statement should state desired prevailing conditions, e.g. “All of our computers must have our corporate-standard anti-virus software installed, active, and up to date.” Note that the statement is neither too general – “We wish to remain virus-free” – nor too specific – “Install Norton Anti-Virus 2003 and update each Saturday between the hours of 2AM and 6AM”. The statement is clear as to what state of affairs is to be maintained but permits elaboration and specification in Step 3, below. A policy statement should be persistent by nature, maintaining its relevance for a considerable period of time without revision. It also should lend itself to the ready development of specific implementing procedures.

3. Embody each policy in one or more procedures
A procedure is a specific step-by-step process that, when followed explicitly, results in implementation of the governing policy. Each procedure must be developed with the participation of someone with sufficient technical expertise to ensure that the procedure actually achieves the goals that the governing policy outlines. Since its purpose is to guide the activity of mostly non-technical people, the wording of the procedure should be reviewed for clarity, precision, and completeness. It's likely that a given policy will require several procedures to implement it fully. For example, the virus protection policy developed in Step 2, above, might have 3 related procedures: Select Corporate Anti-Virus Solution, Install Anti-Virus Software, and Update Anti-Virus Definitions.

4. Create training materials based on procedures
Written procedures may be perfectly acceptable as they stand, especially if they are well written and are clear, concise, and correct. But frequently supplemental training materials are needed to ensure that the people down in the trenches, those actually using the computers and network, understand the policies and procedures and the importance of both. Whether you actually need to prepare training, materials will depend largely on your specific situation, the number of users you have, the complexity of your network, the level of sophistication among your users, the rate of employee turnover, and so on. One thing is pretty sure, however: if you need to have training materials, then you also need to have them well designed and well written. It would probably be a good idea to hire a skilled instructional designer to produce your training materials.

5. Implement a formal training program
You probably will not need an elaborate security training program for your employees. Whatever formal training you require probably can be met by generic security training programs, such as the one we offer. If you should have some unusual training requirements that necessitate a custom training program, obviously the materials you prepared in Step 4 above will form the basis of the program. The program could be instructor-led or it could be a self-study course. While the form and content of the training program will vary considerably, there is one constant thread: the weakest link in your security chain, your users, must be adequately trained so that they do not inadvertently compromise your security. You should define the content of tour training program and then ensure that all of our users go through it, or at least those parts that are relevant to their jobs. In this way, you can institute the continuing use of security best practices in your organization.

6. Implement a monitoring and control mechanism
If you have followed our process through the first five steps that I've outlined above, then you have incurred a good bit of trouble and at least a little bit of expense, perhaps more. It would be shame to let that investment waste away, but waste it will unless you actively monitor and manage your security program on an ongoing basis. It is not necessary to have an elaborate or expensive system, but it is necessary to have a system of some sort. You want to make sure that all new employees receive adequate orientation and training, and that everyone is following procedures and adhering to policy. It probably makes sense to have an annual review of your security policy, procedures, and practices just to ensure that you continue to protect yourself from all current security threats. And of course periodic reviews and spot checks should assess whether your employees are using the lessons they have been taught and are implementing security best practices.

By following this 6-step process, you can divide your security concerns into small, manageable pieces and then move to address each one in turn. The result will be greatly improved network security in your organization and the ongoing use of security best practices.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We can help
At Altenbernd Consulting we have an array of Security Management Services that are designed to help you cope with the overwhelming complexity of security on the Internet. We can evaluate your current security practices and recommend improvements. We can help you implement an appropriate and affordable security best practices program; we can provide security basic training for your employees; and we can be a single-point outsource for all of your network security needs. Call us at (800) 557-7634. Or visit our Web site to learn more about how we can help you: http://www.Altenbernd.Com .
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

© 2003 Altenbernd Consulting, LLC. All Rights Reserved.