Computerworld - In the sciences, there are general principles that can apply to all environments. The principles of physics (i.e. the general laws) are ubiquitous across disciplines. Why should the information security field be any different? It turns out that it isn't.
In my experience, the following general principles have proved beneficial. Companies can apply them with existing internal resources.
1. Map security around business functions
In few areas is the relationship of security to business functions more obvious than in comparing electrical utilities with industrial refineries. Both business models use a segmentation structure around Supervisory Control and Data Acquisition and/or distributed control systems. While both electrical utilities and refineries have these environments, the refineries, in general, have a much more secure implementation of this model. Was this due to particular security requirements? No. Upon querying technical experts from both industries, the rationale became clear: One field had to be much more competitive in the business realm than the other. Industrial refineries had to compete in the business market, while utilities were subsidized and regulated by the government.
If one company operated at even a fraction of a percentage more efficiently and cost-effectively than a competitor did, that business had an edge in the public markets. Tremendous amounts of effort were spent designing and making networks and systems perform core technical requirements in a way that was as efficient and organized as possible. These efforts resulted in networks with a relatively high security baseline. More important, they provided a solid foundation for future security components that might be desired in the future.
Without the economic driver of competition for the electrical utilities, the optimization and maximization of underlying business architectures didn't receive the same attention. As various utilities markets are deregulated, many players find themselves in the position of having to make a profit. However, the underlying infrastructure lacks a foundation solid enough to confidently run critical business tasks, let alone withstand hostile attacks.
2. Define information and data labeling and handling guidelines
Although an arduous initial task, implementing data classification, labeling and handling guidelines will pay huge dividends in the long run. Many companies will invest substantial capital toward vulnerability assessments, network intrusion-detection systems and security best-practice guidelines. Unfortunately, few of these companies ever embrace information labeling and classification guidelines.
If an engineer comes across a business memo he doesn't understand, what are the odds that this information will be handled in a secure fashion commensurate with the memo's value? Conversely, if a secretary receives an e-mail that carries with it
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
