This is the first blog of a three-part series. I’m in Support at AlienVault and spend my share of time on the forums. I have seen a few posts regarding the cost of implementing security processes and procedures on a network. This is a valid question to consider, as the prospect of creating a security policy and implementing it on a network can be daunting for a beginner. In the following post, are a handful of ideas that hopefully will assist you in developing and implementing your plan. I will also stick to basic theory as my choice of products to use is obviously somewhat biased. 😉 This is the first installment in a blog series intended to share what I’ve learned working on the AlienVault Forums.
Security is expensive.
Let's correct that. Information Technology is expensive. Security is not a separate part of our IT infrastructure that is thrown on after the fact - or at least it shouldn't be. Security is an integral part of any functioning system, just like data assurance, usability, equipment life-cycle, or any other part of TCO. How much it costs depends on how it is implemented, and what the end goals may be.
From the outset, the process of creating and implementing a security policy can seem difficult, especially for a mid-size business. With some basic planning and a few preliminary steps, however, you can reduce a lot of unnecessary steps and lower the cost significantly.
Step 1: Don't start with a Blank Canvas
The process of implementing security policy is a big enough task as it is. Let's not make it bigger by starting with the goal being "secure the network." We need to define a clear goal, and then break this down into measurable tasks which we can prioritize. This will enable us to distribute the cost over time while simultaneously mitigating the most serious threats.
Before we start looking at a few of the basics, let's consider some points that will weigh on our decision making throughout the process. This will establish our baseline for planning.
What compliance requirements do I need to consider? This question is first because compliance requirements remove flexibility in certain areas. There are optional steps in security, and there are the required processes. You need to be able to decide which is which. These requirements will weigh heavily on our approach.
What is our current IT inventory? The old adage "you cannot manage what you cannot measure" carries a measure of truth. If we do not have a clear picture of what we are securing, we could miss some important steps. The more detailed the inventory is, the better we will be able to use it in our planning. Asset inventory/management software may be very helpful here. There are a number of asset/inventory management applications out there which can help with this process. Take your time and make sure you are not missing anything. This part is important to every step that follows.
What goals does management have for this project? Management may have specific goals in mind that are separate from your concerns. Does management want a specific downtime maximum? Is the company planning to apply for any certifications which this process could affect? Is the company looking to enter a new market in the near future, or merge with another company/division? These will affect your plans. It is best to know about them from the start.
What is the projected budget, and what is the cost and availability of labor? It is important to remember that time really is money. Some solutions may cost considerably less than others, but require much more interaction
Are there any priorities specific to your company or industry? This step may be policy or preference only, but there is likely one area that you want to focus on first. There is no hard rule for this process. A retail company will likely focus on POS systems first, whereas an internet site will focus primarily on web application security. Your personal goals and equipment lifecycle also weigh in here. If you are due for network infrastructure upgrades in three months, your best bet is to look closely at what security features you may want to be adding.
I should stress here that you might want to hire a qualified consultant to review your plan and suggest changes to ensure you do not miss anything. I highly advise this step if you are legally bound to meet a certain standard. This is one expenditure that you will not regret when it prevents fines for non-compliance.
I’ll be back with another installment in the series around Step 2: Divide and Conquer.