The value of a security assessment
Ryan Bollman, Senior Security Engineer
If someone were to ask you to define what makes up a good information security policy, what would you say? The answer to the question varies from business to business. Perhaps that is one of the reasons why developing and implementing a security solution can prove to be difficult for many organizations. To answer this question, the organization needs to first identify what “the information” is. It is estimated that 70% of business value for Fortune 500 companies is attributed solely to their information assets. The first step in accurately securing the information is to classify the information. The information itself may include proprietary corporate information, private customer information, contact information, or it may be services such as voice. Simply put, these are critical functions that the company needs to protect to ensure business continuity.
Many business leaders have been part of some sort of business continuity discussion that defines the importance of the various functions and services. However, one of the many challenges that businesses and organizations have is identifying how to secure that information in a cost-effective manner. A great place to start is a security assessment.
Step One: ID Critical Functions
A security assessment focuses on the business assets, risks to the assets, and methods on reducing the risk. The first step in an effective security assessment is to understand the organization. The goal is to identify critical business functions and resources these functions depend on. This step is extremely important since it will set the scope for the assessment.
Once the assets have been identified, a value is assigned. To determine value of your assets, consider:
· If unavailable, how long will business operate?
· If lost, would reputation be compromised?
· Are there regulatory requirements?
· If compromised, what financial implications are there?
· Would productivity be lost?
Step Two: ID Risks
The next step in the process is to identify the risks associated with each of the assets. This establishes the economic feasibility of the overall plan. Risks can be manmade, natural, or technical. A manmade threat may be as simple as a misconfiguration that could exploit vulnerabilities. Natural threats are unavoidable but still need consideration. Technical threats may include the loss of power, data communications, device failures or data corruption.
Step Three: Compare Risk to Threat
Once the risks have been identified and qualified (and if possible quantified), a threat analysis is carried out. Here, the assessment team is looking to compare the risk versus the likelihood of each identified threat. This information is one of the core values of the assessment. With this information, asset owners receive enough information to establish a prioritized strategy that will reduce, transfer or accept the identified risks. Also the business can be ensured that remediation options will directly reduce the risks to assets that are critical to the business.
Hosted Firewall Service
Delivering Network Security Protection for Minimal Cost
Charlene Williams, Senior Product Manager
Nearly all businesses have increased the use of the Internet in their daily practices. Employees use the Internet to gain access to applications, company data, customer or vendor data, and various other resources. This increased use of the Internet, along with more regulatory requirements for many industries, increases the importance of risk management for company networks. The company network has become one of the most important assets for businesses today. For many businesses the overall success relates directly to the network, therefore the security of this network has become one of their highest priorities.
The impact of a network attack can be widespread and devastating: the company loses productivity due to a deteriorated network, increased customer dissatisfaction, and the loss of critical data. Network attacks always come with a financial impact to the organization, although it is getting harder to put an exact amount to these attacks, there are reports available that provide some insight into the financial impact that organizations have reported. According to the 2008 CSI Computer Crime and Security Survey, dealing with loss of either proprietary information or loss of customer and employee confidential data averaged at approximately $241,000 and $268,000, respectively. Two large retail companies experienced a huge financial blow over the loss of customer credit card information: TJ Maxx over $135 million dollars in 2007 and in 2005 DSWs exposure for losses related to a similar security breach ranged from $6.5 million to $9.5 million. It has also been reported to the US Senate Commerce Committee that revenue from cybercrime has now exceeded those of drug crime. Network security requires serious attention.
Protecting a network requires depth in security knowledge and experience to build and maintain a truly secure network. Most businesses don’t have the resources available to do this on their own. During a time when businesses have been forced to find ways to reduce their budgets, a greater number of businesses are looking to outsource the complexity of the ever-changing network security issues that plague their IT staff. To keep abreast of this critical aspect of their business they choose to augment their IT staff by utilizing Enventis’ core capabilities to protect their network.
Our customers have come to rely on the experience of our certified security engineers to build and maintain a secure network. Enventis offers a broad range of network security solutions. One component of our network security practices is addressed by the Enventis Hosted Firewall service. The Enventis Hosted Firewall Service has built-in failover capabilities for superior reliability and is designed to deliver high performance with stateful deep-packet inspection of Internet traffic.
With this hosted solution, our centralized firewall is able to protect all of the sites connected to the Enventis network creating consistency across the entire network. The Enventis hosted firewall stops suspicious activity before it hits your network providing the customer with a more efficient network. It protects from intrusions and denial of service attacks through the Internet and is monitored around the clock. The Hosted Firewall Service provides all of this for our business customers while still saving the company money by reducing the need for capital and in-house security expertise.