Ensure security best practice when deploying new technologies
Managers must balance the benefits of new technologies with the security risks they pose. Use this advice to maintain your security architecture's standards and ensure that it isn't compromised by newly integrated technologies.
Topnotch companies wield cutting-edge technology to stay ahead of the pack. But with the breakneck speed at which technologies roll out, an enterprise's supposedly robust security architecture could quickly become ill prepared for the new milieu. At the same time, technologies purportedly ready for deployment could be ushering in new vulnerabilities and exposures. Diana Kelley, security technology strategist at Computer Associates, and Jim Walker, adjunct professor of computer security at Carnegie Mellon University and manager of product marketing at ServGate Technologies, provided some advice for keeping your security architecture efficient and at par with the IT industry's best practices. Further, they provided some guidance for ensuring that your security environment remains effective as you integrate new technologies. Start with standards, guidelines, and tools "To ensure that a company’s security policies are in line with best practices, the IT manager must be knowledgeable of the latest standards," Walker said. Security technology vendors are a good source for information regarding standards, since their products and services most likely help companies comply with these standards, he said. Kelley concurred that managers must be familiar with the ISO standard and the NIST and CSI guidelines, since these set the pace for what is considered best practice. "Consult with knowledgeable professionals in the area for focused and specific guidance that meets both the best practice standards as well as the individual needs of the business," she advised. Walker emphasized that education is ultimately the key to assessing one’s security policies. "The more knowledge an IT manager has about security the better," he said. "Having an IT support that is knowledgeable in security and proper security constructs will help keep things in line. If the company’s IT staff is a one-woman army, becoming aware of available analysis tools for gauging her security practices with the industry’s best practices is imperative." Match the business need to the technology According to Kelley, whenever a new technology is evaluated for inclusion in an enterprise IT architecture, managers should first establish the business need that will be met by the new technology: the business case for implementation and the success metrics associated with this new technology. Then they can move into reviewing their existing policies, management frameworks, and legacy systems to see where the intersection points occur, she said. "Oftentimes, new technology will cause exceptions in policy due to legacy or other restraints," Kelley said. "Match the business need to the technology, to the restraints and exceptions, and revise policies and procedures as needed." Kelley said it's important to note that an entire security policy needn't be rewritten every time a new technology is introduced. However, the new technology must fit in with the overall policy and management framework or have exception handling for non-compliance, she said. Sometimes a subpolicy or an addendum can be a good way to establish the policy for the new technology. Scrutinize the new technology Kelley said managers should familiarize themselves with the technology itself and any known vulnerabilities inherent in the technology. For example, if an enterprise is going to deploy wireless, understanding the IEEE 802.11 specification is critical, as well as checking on the related standards, such as the wi-fi alliance's WPA and the 802.1X standard—IEEE as well, but not exclusive to wireless—which can be used with WPA. "Another example of a new technology that bears study before deployment is VoIP," Kelley said. "How does the technology work? What are the risks? VoIP considerations would include the effect on the organization if downtime occurs due to a DoS or poor bandwidth management." Kelley suggested online resources, conferences, and other educational outlets, and the vendors who provide the new technology. Walker said that when deploying a new technology, it is important to review it for proper security constructs. "Find out if the new technology has undergone security certifications, such as Common Criteria and ICSA," he said. "These certifications have been developed so that a common level of security could be established." For example, the U.S. government requires a level of Common Criteria to be attained before a new technology is considered for deployment in any government network, he said. Don't forget the details Walker stressed attention to factors that should be considered part of an overall security policy for the organization before and after implementing any new technology. He said IT managers should ask themselves the following questions:
- Does the technology require a connection?
- If so, does it use only specified ports on a machine?
- Does the technology’s database encrypt important information such as passwords or customer information—credit card numbers, Social Security numbers, etc.?
Reproduced from an article published by TechRepublic
© TechRepublic
The original article can be viewed here:
http://techrepublic.com.com/5102-6313-5295063.html
Permalink Bookmark Digg this story
