Managing the
Internet security program requires confirming that all
elements of the program are implemented. The critical
paths and time line for the program are major benchmarks
to be used in judging the administration process. If
delays in implementing critical program elements threaten
the success of your program, you should determine the
importance of those facets of the program and act
accordingly. Procuring and implementing intrusion
detection systems throughout the company may, for
example, prove to take more time than anticipated. A
reasonable interim strategy might be to implement these
systems in the most business-critical systems within
networks that connect to the Internet. Full
implementation of these could be delayed.
Once the elements of your company's
Internet security program are installed, proper security
administration requires verifying that they remain in
place and continue to achieve the purpose for which they
are intended. Regularly and systematically examining each
element of the program is a logical course. In doing so,
you may discover, for example, that some users have
set up unauthorized modems to their host machines.
|
The basis for your discovery
could be findings from an audit, interviews with users,
or the use of a "war dialer", ,a program that
dials one telephone number after another and records
connection tone. Determining the severity of the problem
detected, and then developing a reasonable solution to be
implemented within an appropriate time period are
constant challenges for any business. Good security
administration also requires thorough documentation of
any evaluations and feedback about the program status.
Close communication with other groups such as
IT, audit, and central business units is an additional
ingredients for success.
Perhaps our most important recommendation
here is to approach the issue of compliance in a
reasonable manner that balances business goals with
security needs. Each business unit has its own computing
needs. Special projects sometimes require temporary
relaxation of the Internet security control measures.
Avoiding extremely rigid, uncompromising stands while
still progressing toward effective security maximizes the
chances of having a successful program.
|
| Case Study : Internet
Security Administration |
| Every network that Company
X owns is connected to the Internet. The user
community and the computing needs within this US
firm are diverse; it has many production systems
in addition to dedicated research and development
systems connected to the corporate networks. Because
security needs for the many computing environment
differ, security administration is very flexible.
The company's corporate Internet security policy
includes mandates for dealing with UNIX security
exposures. Business unit managers must respond
within two weeks to every vulnerability described
in the vendor-initiated notices that are
distributed widely within the corporation.
Response options include the following :
- Immediately fix the vulnerability in all
systems within the business unit.
- Commit to fix the vulnerability in all
systems within the business unit by a
certain date
- Request a partial or full waiver of the
requirement to fix the vulnerability for
some or all systems within the business
unit. In this event, the business unit
manager must submit a rationale based on
business justification.
Requiring a response within two weeks helps
ensure that every business unit pays attention to
and performs a cost justification analysis for
each announce vulnerability. Allowing a degree of
leeway in dealing with the vulnerability
accommodates the needs of individual business
units and, perhaps most important, conveys a
reasonable attitude on the part of the security
administration function.
|
References
:
Terry Bernstein, Anish B.
Bhimani, Eugene Schultz, Carol A. Siegel, Internet
Security for Business, Wiley Computer Publishing, John
Wiley & Sons Inc, 1996
|
