A graduate student in need of help – I would like to know your professional opinion on information security.

0 pts.
Tags:
Compliance
CRM
Disaster Recovery
Policies
Risk management
Security
Security management
Security Program Management
I am graduate student at the School of Information Studies at Syracuse University and am conducting research to gather empirical data on the subject of information security. My goal is to gain a better understanding of what IT professionals believe is an adequate level of information / network security. In other words, I am seeking to pinpoint a baseline for information security. Any assistance you can provide is greatly appreciated. Please answer the following questions as best you can; however, please keep in mind that I am not looking for ?the right answer,? what I want is your professional opinion. These questions are intentionally broad in scope and are designed to illicit answers that are equally as broad. For the purposes of answering these questions, please assume that the organization is a large fortune 500 company, such as Intel or Bank of America. Further, please assume that the information the organization posses is sensitive (credit card numbers, social security numbers, phone numbers, mailing addresses?etc.) but not classified or data relating to national security. Questions: 1. Is a Chief Security Officer necessary to provide adequate cyber security in a large organization? 2. What percentage of the overall IT budget should be allocated to cyber security to provide an adequate level of defense? 3. Please list the necessary technologies or devices that in your opinion a large organization must deploy in order to maintain an adequate level of security (You need only list those devices you consider to be the bare minimum needed). 4. What are the most important procedural and policy steps a CIO must take to ensure an adequate level of information security? 5. Would you consider failure to install and operate firewalls in and of itself to be professional negligence? 6. What are the most common cyber security threats that any organization, at the very least, should anticipate and plan for? 7. How often should an organization conduct security audits? How often should it conduct information security policy reviews? 8. What level of encryption (128, 256 bit?etc.) at a minimum should be used to provide an adequate level of protection for sensitive information (credit card numbers, social security numbers?etc)? Thank you for taking the time to answer these questions. Sincerely, Anthony Molet
ASKED: April 22, 2005  2:32 AM
UPDATED: May 5, 2005  10:54 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

1. (Chief Security Officer) Yes. One very painful lesson I learned is that if upper management doesn’t care, most security efforts are a waste of time. A CSO is tangible evidence of that committment – in a form of someone whose job it is to enforce it.

2. (Budget percentage to cyber security) – Hard to say, since security should actually be a planned part of every part of the organization, not a block you place on top of other things in existence – but on a guess 10-20%.

3. (necessary technologies/devices)
- Firewalls
- VPN
- No wireless anywhere near the data center,
- Wireless in general locked down via 802.1x, over VPN
- Two factor authentication for VPN (SecureID et al.)
- Automatic screen saver locking of all workstations
- Layered badge access to all facilities
- Video cameras of all areas
- All equipment tied to synchronized time/date (NTP/SMTP
- Centralized logging of all events – with analysis
- IDS (Intrusion Detection System)
- Anti-Virus, Anti-Spyware
- Shredders
- Applications Proxies – to validate all server input

4. (Most important procedural/policy) – End User security awareness training for all employees from CEO down, with regular refresher courses. People are always the weakest link – and when they have not been educated, security is primarily viewed as a nuisance and therefore not given proper support and followthrough.

5. (Failure to install/operate firewalls negligence) YES!

6. (Common cyber security threats)
- Viruses
- Spyware
- Social Engineering
- Dumpster Diving
- Server probing (vulnerabilities, SQL Injection, etc.)

7. (How often audits) – Yearly at a minimum. Better would be a constant cycle of different types of audits. It cuts down on the cyclic nature of a giant audit, and allows the auditors time to notice other irregularities on an ongoing basis. Infosec policy should be conducted annually at a minimum as well.

8. (Level of encryption) – As high as possible, since technical evolution will erode the relative security of any particular number. What’s more important than cipher length is to make sure that you’re using proven technologies. It’s been demonstrated that many vendors claim a “proprietary” technology that’s “secure” – but only because it’s not yet known. Once it’s out, it gets broken. Heck even the WEP algorithm was broken pretty quickly. Also – policy and procedure for the handling of encrypted information are at least or more important than the encryption itself. Look at news stories about missing disks or tapes as a case in point.

Bob

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ajay42usa
    The most important aspect is managing the data collected from all security devices. Unless there is a good monitoring strategy in place, the usefullness of the security devices is very limited. For example, the new technologies like SIM (Security Information Management - products like NetForensics, ArcSight) help consolidating logs from various Routers, Firewalls, IDS, Servers, Desktops, Anti-Virus systems (like McAfee EPO) and could correlate any useful data for alerting. 3DES (168 bit) was the standard so far and may be AES-256 is the best at this point of time. -Ajay
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following