Implementing a Viable Information Security Management Program

The viability of an information security infrastructure is heavily reliant upon its configuration, management, and alignment with business goals. As information has become increasingly critical to today’s businesses, so to has the need to obtain individuals that are trained, certified, and experienced in information security management. However, the ability to locate, hire, and retain qualified individuals has become increasingly difficult.

To address these issues and provide organizations with unsurpased information security management, NetSecureIA has developed a custom-tailored Information Security Management service.

Cornerstones of a Viable Information Security Managment Program

Organizations continue to deploy information security solutions to help assure the confidentiality, integrity, and availability of their information resources. Driving forces may be greatly varied, but the desired result is the same: to protect information and the systems that process, transmit, and store data in a cost-effective manner. Unfortunately, most organization fail to implement effective information security solutions and often fall victim to knee-jerk purchases that fail to adequately address their complex information security requirements.

How can an Information Security Management Program be positively integrated in a cost-effective manner? Organizations must have the following:

• Balance - Business goals, budgets, and information security requirements must be in equilibrium. This requires active communication and interpretation between business, technical, and security goals.

• Support - Management must identify and support the goal of integrating ongoing information security with business operations.

• Plan- Information technology and business management are complex fields. Information security must bridge the gap between the two and integrate seamlessly with business and technical goals. This may only be accomplished by supporting a formal information security management plan.

• Education and Experience - Implementing an Information Security Management solution is not a simple set-it-and-forget it task; it requires formal education and experience to be successful.

Information Security Reporting

A key component of the Information Security Management service is a regularly scheduled report that tracks all ongoing information security management tasks, configuration changes, recommendations, and consultative topics. Each report includes an executive overview that summarizes the regularly scheduled information security activities and highlights any concerns that may have been identified. In addition, a yearly report will be compiled that summarizes the Information Security Management activities and the overall security posture of the organization.

Information Security Device Management

The device management component aims to maintain security devices and monitors and responds to vendor vulnerabilities through proactive management. This includes applying software updates and configuration changes to address vendor vulnerabilities and maintain secure operating environments. In addition, regularly scheduled updates such as IPS signature updates, and security management device updates are also performed and documented.

To properly maintain an information security infrastructure, the supporting devices must be proactively maintained to identify potential security issues, adjust to changes as a result of software updates, and to help ensure the ongoing needs of the organization are met. The following section details the infrastructure management tasks that are typically performed as part of the Informaiton Security Management service.

Firewall
• Hardware health check
• Log review
• Report generation
• Configuration changes based on log and report review
• Configuration backup

IPS
• Hardware health check
• Report Generation
• Signature tuning
• Incident investigation
• Configuration backup

Log Correlation / Reporting / Incident Management
• Incident investigation
• Report review and modification
• Reporting device verification
• Case creation / updates
• Configuration backup

Web Security
• Hardware health check
• Log Review
• Security updates
• Configuration backup

Security Consultation

As part of the ongoing Information Security Management service, a consultative session designed to facilitate discussions of key security issues will commence. The consultation will result in recommendations and/or action items that may require changes to the security infrastructure based on the strategic direction of the organization. This consultation is typically a management-level activity that is designed to provide executive input to new business opportunities and objectives as they relate to information security. The outcome of the consultations will be documented, and shared with the organization’s management in the service reports.

Information Security Management Report

Information security management activities will be documented and summarized in a scheduled security report. The report will contain information necessary to track the status of the information security infrastructure management and status. The report will include an executive summary, recommended action items, the status of past recommendations, and proactive software and configuration management information. The regularly scheduled reports will be summarized into a yearly report that will provide management with valuable information that is easy to parse. The reports will provide an invaluable means of tracking the status of the information security infrastructure, changes that have occurred, and if need be providing valuable compliance data.

To learn more about the services provided by NetSecureIA, please feel free to contact us