Did you just install the Gartner's Magic quadrant No. 1 Firewall? Did you combine it with a powerful IPS with up to-date signatures? Did you add an Antivirus to the top of your arsenal? Do you keep updating/patching your operating systems & applications? Do you have the latest DLP protecting your data? Are you splitting your internal network into VLANs for security reasons? Well, that's an "OK" effort, but unfortunately it's not enough...
Now one might say: "Of course we need to monitor all these systems" still, not enough, another one might say "We are blocking all USB ports" but again, that's not enough either, one might say "We will run penetration tests every now and then to validate the how secure our measures are" yet again that's not enough, you might say: "Training is an ongoing process with our Information Security & IT Security departments" still, that's not enough...
Let's think of Information Security as a business model, a complete one, Information security is better thought of as a concept, not as a technology, technology help us to protect our data, but doesn't do that by itself, it needs human factor intervention to achieve that, human factor by itself is the most important link in the security chain, it might become the weakest as many of us already saw in many cases, and it might become the toughest, let's imagine a place where the most advanced technologies are being used to secure and protect the data while the employees are sharing their passwords among each other with the aim of facilitating their job, this place is risking a lot.In this case we may need to combine a biometric authentication with the common username/password authentication system forming a multi-factor authentication system to overcome this problem, but what if the employees, AKA system users, are not convinced with the forced security measures, what if a bank employee discusses some bank client's financial status with some external party like a friend or someone who might knew from a bar?
The point is, besides following a standard like the BS7799 or the ISO 27001 and having our policies, solutions & technologies in place, we have to spread security awareness across our organization. Across many years I've "tried" to enforce information security policies, I've found that systems' users tend to apply and follow policies when they are convinced with them more than when policies are just enforced on them, being convinced with the policies can be achieved through security awareness, awareness can be spread via training, e-mails, web portals or even competitions.
Just have a look at the whole business plan altogether, just like you shouldn't focus upon production and leave the distribution or focus upon the marketing while leaving human resources out of scope, you shouldn't focus upon information security standards, policies, solutions & technologies while leaving the human factor out of scope.
Instead of doing a huge technical effort, simply kill the nosy bastards :PpP
ReplyDeleteGood one
ReplyDeleteAhmad Zaki,
ReplyDeleteCan I somehow join your circle and see your postings in English? I cannot read the language you are writing in.
I am also in Info Sec for Financial. I am very interested in your articles which hit home for me. We use the IBM Iseries and I agree with a lot of what you say.
Rich
Hey Rich, sure you can add me to your circles as you can find my google id here within my profile.
ReplyDeleteIf u r using IBM iSeries then I guess u r using OS/400, which u should be aware of the printing "spool" permissions' configuration among some other issues:)
As for the language I'm using English language throughout this blog till now.