IT service management - Servo
April Edition 2006
 

Security Audits – more than penetration tests and asking someone to check the security logs!

 Send this article to a colleaguePrint this article


Why read this article:

 To find out how the development of a security management framework helps produce effective security policy.
• Explore different ways to create a more secure business environment.

The business world is increasingly reliant on technology to supply information and communications facilities to staff, partners, and customers.  Securing organisational information and the systems that are used to manage and transmit data has become a high profile function. Failure to secure information can have a severe impact on business credibility.

The advent of corporate governance is beginning to cause IT manager’s a new headache brought on by financial regulation, data protection, duty of care and overall protection of intellectual property when dealing with customers and suppliers using IT systems.

Directors of these organisations are now under pressure to ensure that they exercise responsibilities and practice with the goal of providing strategic direction, ensuring that objectives are met, ascertaining that risks are managed appropriately and verifying that the organisations’ resources are used responsibly. For corporate governance read IT governance which means the system by which IT is directed and controlled and the rules and procedures for making IT decisions.

The types of threats change constantly, so management must sponsor, design, and implement business and technical processes to safeguard critical business assets.

To create a more secure business environment the organization must:
• Assess business exposure and identify which assets to secure.
• Identify ways to reduce risk to an acceptable level.
• Design a plan for mitigating security risks.
• Monitor the efficiency of security mechanisms.
• Re-evaluate effectiveness and security requirements regularly.

All of these activities must be coordinated within a well-defined strategy. An organisation can manage risk to an acceptable level by developing security policies and making staff and commercial partners aware of their responsibilities within them. Security can also contribute to an organisation’s bottom line, because customers value the reliability of a supplier.

Through the development of a security management framework a number of best practice sources are available to help produce effective security policy and implement it through a security program. These include Microsoft Operations Framework (MOF) to align defence with other critical services, such as Business Continuity Management and Change Management and industry security standards such as the International Standards Organization (ISO) 17799:2000 and the IT Infrastructure Library (ITIL) Best Practice in Security Management.

What organizations now need is to work with a partner who not only understands the infrastructure that delivers the IT elements of the business but can also articulate the security management framework requirements to ensure a secure and well managed infrastructure.

It is our view that most organisations have a security strategy which describes the nuts and bolts of their security layers i.e. firewalls, authentication, remote access etc but fail to embrace this into a security management framework which defines clear roles and responsibilities, classification of data, audit controls, access control and so on.

Most will argue that this seems overkill and is the domain of only the large banks and manufacturers who employ teams of security personnel. Not true.

It’s a misconception that developing a security management strategy is a big piece of work; using common sense and adopting publicly available resources can go a long way to ensure that the investment in the physical trappings of security such as firewalls and the like, doesn’t go to waste.

Without a process around these tools for protecting your digital assets and clearly defined ways of measuring how secure your network is, this investment will be only partly realised and worse, leave security holes for exploitation and loss of customer credibility.

Through engaging one of Servo’s professional services consultants, a customer will gain the following benefits:

• Benchmarking to assess the status of security management processes and controls
• Review of security policies against security best practices
• Using a gap analysis to identify the divergence of existing security arrangements against the standard
• Review of security infrastructures and the process controls for managing and reporting on security incidents and access control
• Review of security roles and responsibilities

A typical engagement could be as little as 3 days consultancy to produce a concise and detailed review of your organisations’ position against best practice for security management. Servo will work with you to tailor a specific set of clearly set out objectives and deliverables.


More information

If you want to receive more information or to discuss specific requirements with one of Servo’s consultants please email secaudit@servo.co.uk.

 

Please rate this article 1 2 3 4 5  
1=Poor  5=Excellent  

Reasons for your rating? (optional)



   





 


Stopping the rubbish at the perimeter - pipe dream or reality? 


 Network security has become a critical business issue for organisations of all sizes. Todays sophisticated web-borne attacks (malware), which can decimate an unprotected network in a matter of minutes, have a direct impact on businesses bottom lines, causing massive loss of valuable time and resources, reduced productivity and lost revenue. In addition, some types of web threats, such as Spyware, can expose or even lead to theft of confidential and sensitive business information.

Wireless Networking - love it or hate it? 

The simple truth of the matter is that wireless can be a blessing to an organization through enabling mobility, reducing cabling costs, etc, but it can also be a nuisance and – in the worst case – a major security liability.
The trick is to deploy a wireless solution that gives the advantages mentioned above, but is totally secure. The question is can it be done?



Too many security devices doing a little bit of what you want? Unified Threat Management may be the answer. 

 

When talking with many organisations especially those with limited resources to manage security, there appears to be a need to lower complexity by reducing the number of appliances, servers and devices used to protect that organisation’ assets.



Security Audits – more than penetration tests and asking someone to check the security logs!

The business world is increasingly reliant on technology to supply information and communications facilities to staff, partners, and customers.  Securing organisational information and the systems that are used to manage and transmit data have become a high profile function. Failure to secure information can have a severe impact on business credibility.
 

SERVO BLOG!

The success of the E-news service has been tremendous and Servo has obtained much well founded response from our loyal customers who subscribe and from the vendors who contribute to the pages.

However, as technology moves on and the world of communication shifts forward, Servo is considering a change to keep pace.
Click here to read more.