Security Manual Template
ISO 27000 Compliant
Sarbanes-Oxley / HIPAA / CobiT
The Top 10
Information Security Myths
MYTH #1: Organizations are more secure now than they were a year ago.
Most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler. However, new threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, reexamine corporate security policies periodically. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting customer data.
With or without a legal requirement, organizations still should safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking regulations mean data is protected.
MYTH #3: External consultants know more about information security than in-house personnel do.
People believe consultants have tools and advanced training that's lacking internally. But that's not always true. Before hiring an outside consultant, be sure you haven't overlooked your staff. Network and system administrators often make good full-time security personnel because they handle security problems as part of their daily duties. You might find you already have the required skills in-house -- all that's needed is some training classes. Training in-house personnel demonstrates your commitment to providing employees growth and career opportunities.
Consider using an outside consultant on an as-needed basis to supplement the skills of your staff. If you decide to bring in outside services, thoroughly validate the consultant's qualifications and experience. Be sure to check references. Outside consultants also can provide a good business partnership beyond the services outlined in a contract. Having an internal contact person well-placed within the organization can help foster a better working partnership and help staff view the consultant as a valuable team member.
MYTH #4: Information security must be managed as a separate business unit to be effective.
You may think keeping information security people together in one department is a good idea. After all, information security professionals all speak the same language and deal with similar concerns. However, a single security group would have to deal with all the business units that have some level of security as part of their charters. If you keep your information security professionals in one group, you risk alienating the business groups with which they'll need to work to conduct security awareness and training programs.
Top-level management must realize that information security is not solely the responsibility of IT, but rather an enterprise function that must mandate input from all business units so each unit can ensure its needs, concerns and mission statements are met. Smart organizations are starting to realize that security has evolved into an enterprise-wide support division, rather than an isolated group dedicated solely to protecting servers. Security professionals can offer cost management, build a stronger focus on customer relations, and help identify and communicate growth opportunities throughout the organization.
MYTH #5: Complex, frequently changed passwords will make my enterprise secure.
No one would argue that a 16-character password is easy to guess. But it's also hard to remember. If you require users to change passwords every 60 days, they'll be writing down their passwords, which is exactly what you don't want. Instead, create a flexible password policy that lets users create simple yet inconspicuous passwords. Written password security policies should be governed by the organization, not the end user. However, each end user must be held accountable for managing and safeguarding his or her own password. Passwords written on Post-It notes or stored in Excel spreadsheets are far bigger threats to security than password cracking.
MYTH #6: The padlock icon present during an SSL session means my data is safe.
This is untrue. That tiny padlock icon found at the bottom of a Web site is a sign that data sent between your device and the site is encrypted -- it doesn't mean the Web site itself is safe. And keep in mind that data sent isn't stored on the Web site, but on a server, and how well an organization safeguards its server is a bigger security risk than the communication transmission itself. Nothing is 100 percent secure, and even sites using 128-bit encryption can be compromised.
MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure.
If a vulnerability is discovered in your browser, your computers are susceptible to compromise, no matter which browser you're running. The real risk lies in users continuing to click on virus-infected attachments, which are browser-agnostic.
As the popularity of Firefox increases, so does the number of exposed flaws. Small shops and individual users shouldn't find switching to Mozilla's Firefox a problem -- after all, it's targeted at that user base. However, mid- to large-size enterprises may find that Firefox isn't quite ready for the enterprise, despite its better security. First, Firefox lacks a management system, making it difficult for administrators to control how the browser is used. Second, if your company has several Web-based applications built around Internet Explorer, migrating to Firefox will incur development costs in addition to deploying Firefox to your users. Instead, restrict Internet browsing activity to "what access is needed" and "who needs it. " Teaching proper browsing behavior will keep your organization much safer than worrying about which browser you use.
MYTH #8: Increased security spending results in greater security.
This is false. Organizations often use some sort of metric to justify security spending. This can result in spending more money for security products, but not actually building a more secure enterprise. Every company has a unique risk profile that will determine its required security investment. You can't generalize security needs. Instead, establish a risk management profile, manage those risks within a given budget and purchase wisely to meet the needed security level. But don't spend your entire information security budget on hardware and software. Security is as much a matter of awareness as technology, so be sure to spend appropriately on training and educating your users and customers. It's also vital to make security a visible and important part of your organizational culture.
MYTH #9: Wireless networks aren't secure.
Wireless networks, in their early incarnation, were considered less secure than wired networks because the WEP (Wired Equivalent Privacy) protocol had numerous security holes. Today, however, there are security methodologies and technologies that can be used in place of WEP. Having a good understanding of the 802.11i wireless standard and the 802.1x authentication standard will assist you in properly designing and configuring your wireless network. Although wireless is more susceptible to security problems than wired networking, IT professionals can make secure and effective use of wireless technology by building in additional security, properly managing the rich features found in Wi-Fi products and planning to take advantage of future Wi-Fi security enhancements.
MYTH #10: Dumping Windows for Linux will increase security.
With proper planning, you can securely deploy both Windows and Linux. Although there are more viruses written for the Windows platform, Linux isn't in the clear. Linux tends to have an advantage over Windows in that it's an open-source platform with a worldwide programming and security community supporting it. But an improperly configured Linux server is just as vulnerable as any Windows server.
So, should you dump Windows and migrate to Linux? For the majority of enterprises, the answer is no. While more software is becoming available for the Linux platform, organizations will have a hard time finding Linux versions of everything they need to run their businesses. The work associated with migrating to Unix -- testing applications to see if they function properly on the platform and retraining users -- makes the switch cost-prohibitive and not a viable long-term solution. The better alternative is to use Linux where it performs best -- as the underlying OS on appliances and powering high-end workstations and file servers.