Checklist for Security Management

i occasionally get queries from clients running small/medium businesses, where they have either a single person or a very small team handling ICT and they are looking for general guidelines on how to secure their Information Systems (IS).

The bad news here is that since Information Security is an ongoing, continuous process in any organization, there are no set rules that would be applicable across all businesses. There are, however, a few standard steps you can take for everything to come into place. But there is nothing routine about Information Security because the IS is so powerful and fluid.

As per the basic practice of Information Security implementation, you start by performing a Risk Assessment. This is done by identifying Threats and Vulnerabilities on your IS. You also perform the valuation of your assets and calculate the value of damage these threats may cause to your business. Finally you calculate the cost of mitigating those risks by implementing safeguards, and based on the value of asset versus the cost in mitigating that risk, you decide if you want to reduce, transfer, accept or ignore the risk.

Let’s take an example whereby you have a business and you are hosting a website which shows the marketing information about your business. A threat analysis on your web server has revealed a major vulnerability which requires a complete redesign of the site or implementation of an intrusion detection system. You realize that the cost in implementing these safe guards would not be worth the information being protected and thus you accept the risk and continue performing your business normally despite the vulnerability.

The implementation of Information Security has been generally practiced voluntarily by businesses who are interested in protecting their trade secrets, ensuring businesses continuity and reputation without following any specific standards. However new regulations and standards are being aggressively promoted and are being made mandatory for a large number of businesses through connected organizations. It is therefore a good idea for the ICT staff of these businesses to follow some guidelines which will make their IS Security more compatible with standards enabling them to pass security audits with minimum changes.

The following is a crude and mixed list of security guidelines that should be implemented across all Network Equipment, Operating Systems and Applications, unless stated otherwise.

Change Control:
Change control process should be enforced for any hardware, software and configuration changes in the organization.

Changes Control Process should include the following:
Business requirement for the change

Documentation of impact
Management awareness & approval process
Testing for verification of operation
Back-out plan

Default Credentials:
All vendor default passwords, SNMP communities, Wireless Keys etc should be changed.
Configuration Templates:

Develop Configuration Templates for all Operating
Systems, Applications and Network Equipment.

Also makes sure that:
Every server has ONE primary function only
All unnecessary and insecure services/protocols are disabled
Access controls are present to prevent misuse
All non-required component like scripts, drivers,features are removed from the servers

Anti-Virus:
All Windows systems on the network should have a regularly updated anti-virus. The corporate email server should also have an anti-virus for scanning all incoming and outgoing emails.

Every system, including Operating Systems, Applications and Network Equipment should have latest security patches installed within one month of release. Process should be made to get security updates from vendors.

Access Control:
Each user must have a unique login id and password in order to access the system. These passwords should be stored and transmitted in encrypted form.

Monitoring Access:
Logging and Tracking should be implemented for all systems accesses and configuration changes. The logs are used for auditing purpose.

The following should be enforced for logging:
Logs should be saved on central secure location
Access to the logs should be strictly limited to only

authorized users
All system clocks should be synchronized through NTP
The logs should be retained for one year

Physical Security:
Physical access to the equipment and systems must be ensured through Entry Control System and the organization should enforce identifications for authorized employees, vendors and visitors.

To ensure good physical security, the organization should:
lUse cameras to monitor and retain the videos for at least 3 months unless prohibited by law
lRestrict physical access to wireless access points and     active physical network jacks

Vulnerability Scanning and Penetration Testing:
The systems should be scanned through qualified personal for any vulnerabilities and solutions should be applied for fix any vulnerabilities.

Scanning should be done at least annually and must be done after any major change in the system.

Components:
Network should be segmented to keep the regular traffic separate from management traffic. Internal addresses should be hidden from the outside through NAT unless public access viewing is required. Updated network diagrams should always be ready and accessible.

Web Servers should be used along with an application layer firewall.

Firewalls should be configured with proper planning and documentation. The following best practices should be followed:
Lists of services should be documented that are necessary for business
Every change and policy should be linked to a change control number
Roles and access control should be made for Firewall Administrators
Quarterly review of policies should be made

These are simple checklists which can be customized depending on the configuration and components which make up your enterprise network. The majority of hazards that occur take place because while the system may be ready, the people are usually not. In order to achieve maximum readiness, the people who manage and monitor the systems, must go through the regular motions in order to increase their rate of recovery. Remember, prevention is always better than cure!

About the Author
Talha Ghafoor is a Senior Security Specialist and a qualified CISSP, CISA, PCI-QSA, and JNCIS-FWV. He has 10+ years of industry experience with strong history of working with Tier 1/Fortune 10 Financial Services Institutions in Europe & Middle East