The world is a complex place nowadays and threats to a company’s data and networks can come from so many places that at times it’s hard to keep up. Hardly a week goes by now where there isn’t some new network security threat or breach of information. We don’t necessarily hear about all of these, and incidents that make the news tend to be those that are most far-reaching and which have likely affected vast numbers of businesses or citizenry.
Trying to explain network security in detail can be daunting. So in attempt to simplify things, we’ve boiled it down to “three P’s” - policy, procedure, and prosecution. Everything you do around security should fall into this critical triad.
Security Components Include Policy, Procedure, Prosecution
First, one of the fundamental problems that a lot of businesses have is the underlying policy of governance around information security. That is not just based on digital assets; it’s really any information that a company has created or been entrusted with or provided by a third party. A company has to have some methodology of securing that information and meeting or exceeding its own standards or requirements. Whether this is done through regulation or through industry best practices, it is a decision based on a combination of company mission, culture and management preference. Regardless of the approach, establishing governance is one of the key principles of network security.
Procedure is the second part of the triad and really means assigning administrative and technical controls to enforce the conditions of the company’s established policies. Administrative and technical controls may be either human-based (established through workflow monitoring, managerial oversight or similar means) or programmatic. Whatever procedures you employ, Cisco’s lifecycle of a threat (Remediation, Detection, Confirmation, Mitigation) can be used as a framework for outlining procedures for your business.
Finally, there’s prosecution. This is a term that may conjure images of identifying and locking up “bad guys”, but it is important to highlight that the prosecution component also includes gathering the underlying data of an attack for forensics purposes, and for determining incident response. Prosecution also includes steps for gathering the facts so that you’re able to interface with legal counsel and safeguard your business against any liability or fault that may have resulted from a breach.
Right-sized Security Means Continually Refining
Effective security starts with making sure that security is right-sized for your organization. By understanding the risks and threats faced by the organization which can be informed and guided by network intelligence, the experiences of company executives, customers, and other key stakeholders you’ll be better able to understand what right-sized means for your business.
Right-sizing also means implementing an architectural approach to security. Meaning, there should be a cohesive design of all the elements. A strategic and effective enterprise security architecture of today needs to be based on “defense in depth”, so it incorporates layers of defensive strategies. The components at each layer work in tandem to provide one cohesive security mechanism.
The three Ps are merely the major components of a security program. Creating a great security program for your organization takes time and needs to be flexible. Once you’ve established your program, don’t be afraid to challenge that program and then adjust as necessary - there are many ways to improve network security. Remember, security is a marathon, not a sprint. [link to other security blog]