1. (Chief Security Officer) Yes. One very painful lesson I learned is that if upper management doesn’t care, most security efforts are a waste of time. A CSO is tangible evidence of that committment – in a form of someone whose job it is to enforce it.
2. (Budget percentage to cyber security) – Hard to say, since security should actually be a planned part of every part of the organization, not a block you place on top of other things in existence – but on a guess 10-20%.
3. (necessary technologies/devices)
- No wireless anywhere near the data center,
- Wireless in general locked down via 802.1x, over VPN
- Two factor authentication for VPN (SecureID et al.)
- Automatic screen saver locking of all workstations
- Layered badge access to all facilities
- Video cameras of all areas
- All equipment tied to synchronized time/date (NTP/SMTP
- Centralized logging of all events – with analysis
- IDS (Intrusion Detection System)
- Anti-Virus, Anti-Spyware
- Applications Proxies – to validate all server input
4. (Most important procedural/policy) – End User security awareness training for all employees from CEO down, with regular refresher courses. People are always the weakest link – and when they have not been educated, security is primarily viewed as a nuisance and therefore not given proper support and followthrough.
5. (Failure to install/operate firewalls negligence) YES!
6. (Common cyber security threats)
- Social Engineering
- Dumpster Diving
- Server probing (vulnerabilities, SQL Injection, etc.)
7. (How often audits) – Yearly at a minimum. Better would be a constant cycle of different types of audits. It cuts down on the cyclic nature of a giant audit, and allows the auditors time to notice other irregularities on an ongoing basis. Infosec policy should be conducted annually at a minimum as well.
8. (Level of encryption) – As high as possible, since technical evolution will erode the relative security of any particular number. What’s more important than cipher length is to make sure that you’re using proven technologies. It’s been demonstrated that many vendors claim a “proprietary” technology that’s “secure” – but only because it’s not yet known. Once it’s out, it gets broken. Heck even the WEP algorithm was broken pretty quickly. Also – policy and procedure for the handling of encrypted information are at least or more important than the encryption itself. Look at news stories about missing disks or tapes as a case in point.