Chapter 11. Security Is a Living Process

Individuals charged with developing a business case for network security quickly understand that security is a living challenge that must be continually reviewed. Potential threats lurk everywhere and include hackers external to a company, hackers internal to a company, sloppy or ill-informed users, and extranet-partnered customers or suppliers. All have the ability to pose threats that can go beyond computing systems, potentially resulting in legal implications for certain organizations.

Making the business case for network security requires a thorough analysis of an organization’s fundamentals. It should attempt to solidify strengths, root out weaknesses, uncover opportunities, and confront threats. The process complements the security wheel, which is discussed in this chapter, by highlighting organizational assets and challenges that can serve to advance the corporation.

Relentless need for greater technology, coupled with an ever-increasing dependence on the Internet, has created an environment that is rife with potential vulnerabilities. But many of the greatest threats can be significantly reduced when users exercise vigilance in their everyday activities. This book has shown that the solution is not just equipment. It asks users to become aware and get involved. But mostly, it implores leaders to share security concerns with staff members and then ask for their help. Not surprisingly, staff response is usually highly positive. People want to be involved; quite often, they just need a reason. The ripple effects of positive morale can never be underestimated.

This chapter covers the following topics:

• Security wheel

• Scalability

• Jurisprudence

• SWOT: Strengths, Weaknesses, Opportunities, and Threats

Security Wheel

Making the business case for network security is not a one-time event. Long after monies have been approved and equipment installed, an organization’s macro and micro worlds retain the potential to change at any time. Whether the changes are the result of global terror threats, domestic malfeasance, or inadvertent user mishaps, computing systems are highly vulnerable to ever-fluid situations and the potential for significant damage.

Policies are never constructed in a vacuum, and after being constructed and deployed, they should not be left to wither in a void either. Constant review, renewal, rejuvenation, and regeneration can keep policies current, relevant, and viable.

The Cisco security wheel,¹ constructed with policy at its core, as shown in Figure 11-1, has the following components in continual motion:

• Secure

• Monitor

• Test

• Improve

Secure

Secure, residing at the top of the wheel, as shown in Figure 11-2, is the implementation stage. Whether new programs are being initiated or the wheel has been fully rotated and long-standing programs are being improved upon, the entry point for any implementation begins at secure.

This section considers the following topics:

• Authentication

• Encryption

• Firewalls

• Vulnerability patching

Authentication

Every user has a personal identifier that includes his or her username, password, PIN, digital certificates, or other similar coded tool that can be used to establish identity. Before a system can grant access to a user, it must first verify that a user is truly who or what he claims to be, and that he has a legitimate right to come in. The system would most likely use strong authentication, using a two-factor identification and verification process, for example, something a user has, such as an access card, and something a user knows, such as a PIN.

Upon request to gain access to the network or equipment, the user’s identity is mapped and the user’s authorization level is confirmed. The process of authentication, authorization, and accounting (AAA) is described in Chapter 3, "Security Technology and Related Equipment.” The process ensures that only legitimate users are allowed to enter and, when they are inside, access is limited to pre-established levels, typically tied to user job functions.

Encryption

Encryption turns data into a format that is unintelligible to unauthorized parties.

An overview of encryption, presented in Chapter 3, includes a discussion about public and private keys, data encryption standards, and assorted other mechanisms that are widely used to ensure that important information is kept away from unauthorized eyes.

Encryption protocols can offer the additional options of integrity and authenticity, in addition to confidentiality.

Firewalls

A firewall prevents intruders from gaining access to internal systems. As discussed in Chapter 3, a firewall usually allows a single point of delivery from an organization to the Internet, as well as allows controlled access from the Internet to DMZ hosts. Rules for access are established, and any transaction that falls outside the prescribed rules is blocked.

Firewalls were originally tasked with protecting the perimeter of a network. As security needs grew, interdepartmental firewalls were added to provide protection for organizations that needed to proactively protect data-sensitive divisions, such as finance, R&D, HR, and other pertinent departments.

Firewalls were once considered the domain of corporate networks, but they are starting to be used on home networks as hackers sense the vulnerability with which many home users leave themselves exposed through dedicated high-speed DSL or cable connections.

Vulnerability Patching

Networks typically contain a wide array of equipment sourced from a variety of vendors. While every supplier takes measures to ensure that equipment is fully functional upon delivery, issues invariably surface that require patches, or fixes. After the vendor recognizes the vulnerability, a patch is created and published to rectify the newly discovered issue.

A systems administrator charged with ensuring that patches are current has a number of issues with which he must contend, including finding out about the existence of any new and applicable patches. As explained in Chapter 3, organizations such as CERT and SANS regularly publish patches. Other services can provide patch alerts for all equipment an organization might have on its network. The systems administrator would need to detail pertinent equipment and respective operating versions, and the service would notify the administrator whenever a patch was published and available.

The challenge next moves to determining a reasonable time frame for installing the newly available patches. The moment a systems administrator is notified about a potential vulnerability, the assumption must be made that a hacker has also been made aware of the same information. Hackers could subscribe to the same patch informational services as systems administrator. Depending on the severity of the vulnerability, hackers might attempt to cause damage right away. The safest course of action is to ensure that patches are applied within a predetermined time frame after notification. Given that patching must be accomplished as part of a systems administrator daily routine, finding the time to implement necessary fixes is not always a simple task. Automated patch-management systems centrally deploy patches to devices across an organization. Systems administrator can use these systems to ensure timely installations.

When organizations are faced with the need to apply many patches within a short time frame, prioritization ensures that the most vital patches are applied first. The severity of a particular threat is relative to the equipment an organization has in place, and prioritizing patching for those threats where the company is not yet sufficiently protected can aid in minimizing potential damage.

Monitor

Network monitoring is somewhat comparable to a peace officer walking his daily beat. The officer observes the ebb and flow of the community as he strolls his familiar path, his eyes alert and his demeanor calm. Similarly, network monitoring, as shown in Figure 11-3, is a process that monitors normal course network activities. It observes and reports.

This section considers the following topics:

• Intrusion-detection systems (IDSs) and intrusion-prevention systems (IPSs)

• Data collection and retention

Intrusion-Detection Systems (IDSs) and Intrusion-Prevention Systems (IPSs)

IDSs capture network data and examine it to ensure that a network is secure. Because an IDS scrutinizes the data as it passes through, the IDS is relegated to being a reactive tool. Conversely, an IPS takes action to protect against an ongoing attack.

In essence, the IDS is passive—it detects and reports, whereas the IPS is active—it detects, reports, and intervenes.

Data Collection and Retention

Monitoring procedures likely result in a great deal of data being collected. The issue then turns to deciding the type of data an organization desires to collect. Does each action that occurs within every network segment need to be logged, or should the system be designed to flag and record only specific activities, such as file deletions or unsuccessful network logon attempts?

Equally important is deciding how long to retain the collected data. Certain file retention is legally required, and time frames can differ by state and specific statute. While those statutes need to be strictly observed, deciding how long to retain other data is individual to each organization. Regardless of the time frame chosen, instructions must be disseminated across the organization to ensure that rules are being enforced consistently.

Test

Network testing, as shown in Figure 11-4, is critical to ensuring optimal network preparedness. After equipment has been purchased and installed, testing both equipment and administrator knowledge of the equipment can reveal any possible holes in an organization’s security posture.

Testing considers the following areas:

• Determining responsibility for testing

• Network vulnerability scanners

• Audit and review

Determining Responsibility for Testing

Other than the process of testing itself, the most important elements of testing are performing the elements consistently. An individual might be assigned to the process, but should employment be terminated or the employee is out sick, on vacation, or simply too occupied with other required tasks, necessary testing can be missed.

An organization can construct a formal procedure that defines a process to follow, or it can pursue an outsourcing path, contracting formal testing to a vendor that specializes in this type of service. Certain challenges are associated with outsourcing, namely, cost and the acceptance that a third party has access to the workings of the corporate network. After it is accepted, outsourcing has far-reaching benefits. Not only can required testing be done consistently and continually, but also the vendor will likely be aware of any new vulnerabilities long before a heavily tasked internal systems administrator would discover them; this is the vendor’s business.

Data collected for testing purposes should be retained for the audit and review process.

Network Vulnerability Scanners

It is prudent to monitor the state of security preparedness, and network vulnerability scanners can probe a network to ensure that security issues are handily addressed.

Audit and Review

The process of log auditing was not designed so that a systems administrator could witness an attack. Rather, log auditing was designed to be a preventative tool. It can be used to pinpoint patterns that might not be easily discernible through standard log checking. It might reveal that a series of reconnaissance attacks have occurred, as described in Chapter 2, "Crucial Need for Security: Vulnerabilities and Attacks.” In and of themselves, reconnaissance attacks might not cause harm, but to a systems administrator performing a thorough log audit, the attacks should represent a possible foreshadowing of future events.

Reviewing test logs can determine the strength of an organization’s security posture. It can also determine whether a system can recognize when it is under attack and, assuming it does, whether the system noticed the attack in time to protect itself.

Improve

Interpreting results from the audit and review process and deciding which, if any, should be implemented constitute the improvement stage, as shown in Figure 11-5. In addition, many organizations can use the improvement stage as a springboard for continuous learning. Managers can be assigned the task of ensuring that they are well informed of recent security happenings, whether they concern innovative new products or pertinent current events. By habitually sifting through the vast array of available market data in search of relevant information, an organization can ensure that it is perpetually operating in a preventive and proactive mode.

This section considers the following topics:

• Security policy adjustments

• Implementing changes

Security Policy Adjustments

The steering committee, or similar corporate body, should review all recommendations that were revealed through the initial three phases of the security wheel to decide what changes, if any, are required to solidify the organization’s security posture. Should the company elect to make improvements, those changes must immediately be reflected in the security policy manual.

Users need to know what is expected of them at all times, and without hesitation, they should be able to inherently trust the rules that are detailed in a firm’s security policy. The situation is analogous to an individual who decides to alter his last will and testament. He might decide to change a beneficiary, but should he neglect to have the amendment appropriately witnessed before he dies, his final will and testament will not be valid. A security policy that does not immediately reflect all rule changes can suffer the same fate. Should an attack ever occur, no one would ever want to hear a user say, "I was following the security policy; I didn’t know the rules had changed.”

Implementing Changes

Updating security policies to reflect changes is a prudent practice, but simply including new rules in departmental manuals might not be sufficient. Training is usually required and can run from the complex, sending personnel to extensive professional training programs, to the simple, explaining to users new actions they must follow.

Awareness is fundamental to the success of any program. Informing users of significant threats, and advising them about steps that can be taken to help the organization mitigate potential issues, can ensure that recent changes are implemented in the way in which they were originally conceived.

Scalability

An organization might assume a particular security posture, but through a regular rotation of its security wheel, the organization might discover that it has unwittingly altered its posture.

Organizations can view security postures as falling into one of the following camps:

• Basic

• Modest

• Comprehensive

An organization might have chosen a modest plan when it originally wrote its security policy, structuring its posture on the equipment and processes inherent in a modest level, as described in Chapter 4, "Putting It All Together: Threats and Security Equipment.” Plans get set in motion, and normal-course business is conducted. Situations can occur, whether they involve malicious attacks by outsiders, inadvertent errors by insiders, or potential vulnerabilities that are recognized and plugged before they can become issues. An organization must respond quickly and effectively to every situation by ensuring that concerns are addressed directly, and any resultant change is promptly reflected in its security posture.

This process works well in theory, but it can be challenging to implement on a daily basis. When situations do occur, changes are made expeditiously, so the organization can quickly resume doing business. Making the security wheel a fundamental component of an organization’s process ensures that changes made on the fly are always reflected in policy and, most importantly, that changes respect the posture the company already has in place.

Changes rarely occur in a vacuum; typically, one change begets another. For example, an organization faced with a particular situation might implement a variety of solutions to combat the problem, possibly resulting in the company moving markedly away from its modest security posture. If the newly implemented changes reveal that the organization is pursuing a posture that is fundamentally more comprehensive, the organization should ensure that related policies are changed to reflect a similar comprehensive structure. The concern is that an unplanned mix of modest and comprehensive security postures might leave the company with a sense that it is more secure than it actually is, and a false sense of security can be worse than no security. Firms with acknowledged low levels of security can ensure that users are particularly diligent in their dealings; those firms who think they have a high degree of security installed on their systems might be less concerned with employee activity. And that is where the seeds for great vulnerability are typically planted.

A continual rotation of the security wheel can ensure that a firm’s physical and logical structure is created, implemented, and reviewed in a fashion that is commensurate with its desired security posture.

Jurisprudence

The law is a living organism. It is a series of rules, regulations, conventions, precedents, and structures that are created, maintained, and improved upon to reflect societal needs for both current and future generations. Laws govern a society’s people, organizations, institutions, and structures, and they impose a system of order encompassing the foregoing entities and the relationships among them.

Political legislators are working to design legislation that accurately reflects the ever-changing technological landscape while substantively protecting both organizations and individuals.

This section considers the following topics:

• Hacking

• Internal issues

• Negligence

• Privacy

• Integrity

• Good netizen conduct

Hacking

It has been a long while since hackers were viewed as mere nuisances. Today, the proliferation of attacks is widespread, encompassing targets that include vast enterprises, home users, and every conceivable system in between. The menace posed by hackers continues relatively unabated; attacks are increasingly more virulent, forcing organizations and users to become more diligent in their daily activities.

Attacks were historically viewed as acts perpetrated by individuals intent on inflicting vandalism, but they are quickly becoming recognized for what they truly are: intensely malicious acts of a grievous nature intended to cause harm. Attacks can cripple systems and result in untold damages, some of which can never be quantified. Whether attacks are premeditated, carried out for personal gain, or have some link to cyber-terrorism, politicians around the globe are striving to enact legislation that serves to deter individuals from attempting to inflict damage, and punish those who wreak havoc.

Internal Issues

Acts carried out by company insiders can be just as damaging as those inflicted by hackers. Company-internal errors, whether intentioned or not, can bring down a system or cause a business to be unnecessarily vulnerable. Users can inadvertently create a distributed denial of service (DDoS) attack, as described in Chapter 2, or with premeditated intent, they could access company-confidential information for their own purposes.

Limiting Internet access, whether by implementing URL filtering, as described in Chapter 3, or by continually elaborating on the company’s Internet-use stance can help to restrain certain activities. An organization might be logging heavy activity at gaming sites if some of its users enjoy participating in gambling during the course of their workday. Other users might choose to collect illegal pornography, putting not only the company at risk for harboring individuals that perform illegal activities but also putting the company’s reputation at risk in the frequently more damaging forum of public opinion.

Developing a system that encourages strict controls and maintains a process for checks and balances can ensure that an organization is in a position to act proactively, and user actions are less likely to put the company at harm.

Negligence

Security infrastructure is relative to an organization’s tolerance for risk. While one person’s high risk might be another’s light adventure, the outcome that results from a particular activity would be the same in either scenario. Negligence is defined as a failure to take prudent care and, for organizations, it can be the difference between acting responsibly and failing to adequately protect the company against known vulnerabilities. If a company employed a third party to perform certain work and, while in possession of client data, the third party was easily broken into by an external hacker, the third party could potentially be found negligent if it did not use practices or equipment to adequately protect itself. Adequate protection could be considered a relative term, but a company could be looked upon as having been negligent if it did not take fundamental precautions to proactively deal with potential threats.

Hackers have been able to infiltrate well-known websites to launch multiple attacks, making it increasingly incumbent upon companies to ensure that their systems cannot be used as launch pads for further attacks. While attack scenarios are typically more complex, for explanation purposes, an attack example could be as simple as the following scenario.

A hacker launches an attack against a well-known website, victim A. The virus implanted in victim A automatically launches its own attack against another well-known website, victim B, effectively bringing down both A and B. B might incur untold loss of revenue or reputation and, in an attempt to reclaim certain losses, might seek to prove negligence on the part of A. While the guilty party is clearly the hacker, seeking damages from the hacker would probably not serve any monetary purpose. Should B be able to prove that A was negligent in not protecting its own system from an attack and, further, that A should have been able to ensure that its system could not unwittingly become involved in launching further attacks, B might be able to prove negligence on the part of A. While this example grossly oversimplifies a complex issue, Figure 11-6 illustrates how simple it could be for an innocent bystander to unwittingly participate in a DDoS attack, and possibly be viewed as potentially negligent.

Privacy

Respecting individual and corporate privacy has become an increasingly sensitive issue over the last generation. Legislation is beginning to dictate parameters for organizations in the collection, use, and disclosure of information and, in certain cases, creating guidelines for how these tasks must be accomplished. Specifically, consent is required, and in many instances, such consent must be implicit. Even when consent has been granted, it is incumbent upon the collecting organization to ensure that information is only used and disclosed for the purposes for which the information was originally collected, particularly if the information could be deemed highly sensitive. This is relevant whether the data collector is a commercial or a nonprofit organization.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 presents standards for the maintenance and transmission of personal information regarding individuals. Every organization in possession, or potentially in possession, of information must be able to protect the security and confidentiality of electronic personal information. The act ensures that the interchange of said electronic data is standardized and that privacy is ensured.

The Gramm-Leach-Bliley Act, or The Financial Modernization Act of 1999, includes provisions to protect individuals’ personal financial information. The act extends protection beyond formal financial institutions to include all organizations that handle personal financial relations, from firms that provide income tax services to those that provide credit counseling. In essence, the act requires all financial institutions to design, implement, and maintain safeguards to protect consumer information.

To effectively comply with privacy guidelines in certain existing and proposed legislation, organizations are developing privacy policies to operate in conjunction with security policies. These new policies work to ensure that data is protected from external attacks and internal inadvertent errors, as well as protected against possible internal disregard for the sanctity of the information with which an organization has been entrusted.

Integrity

Long gone are the days when officers of a public company could sign their name to official financial information and feel confident that the figures were wholly accurate. Today, all parties must ensure that proper security exists and appropriate methodology is used in the compilation and calculation of financial documents. Strict scrutiny and a high degree of security are now fundamental to ensure the integrity of internal financial statements.

The Sarbanes-Oxley Act of 2002, or The Public Company Accounting Reform and Investor Protection Act of 2002, outlines procedures with which public companies must comply to ensure that their financial statements are wholly accurate and that senior executives must attest to said accuracy in sworn statements.

In May 2003, the U.S. Securities and Exchange Commission adopted rules pertaining to Section 404 of the Sarbanes-Oxley Act, the Management Assessment of Internal Controls, to include the following items:

• Management is responsible for establishing and maintaining adequate internal controls for financial reporting.

• Management must present the framework it used for assessing and evaluating the internal control model.

• Management must provide its assessment of the effectiveness of the internal control structure.

Internal control is further defined as follows:

• Thorough maintenance of records

• Transactions being safely recorded

• Timely detection of any breach that could have a material effect on financial statements

Ensuring that strict security controls are in place is becoming increasingly more fundamental for organizations today. Guaranteeing the sanctity of financial statements, including the calculations behind every entry on a balance sheet, such as booking and timing of payables, requires firms to have measurable and unfaltering procedures in place.

Good Netizen Conduct

The Internet has been referred to in such diverse terms as being a conservative and appropriate medium in which to conduct business, to being as uncontrollable as the proverbial Wild West. The Internet is as safe, or as uncontrollable, as each of its users allows it to be. Actively ensuring the dependable, proper, and respectful use of this highly exposed medium requires every individual who uses the Internet to become a good net citizen, or netizen.

The Centre for Safe and Responsible Internet Use (CSRIU) works with schools and educators to ensure that responsible Internet use is instilled at a young age. Respect for the medium can aid organizations in their next generation of workers.

In companies today, leaders must extend respect for the Internet throughout the organization. Practicing good netizenry can help ward off potential issues of negligence in the future. ISPs, possibly vulnerable to potential lawsuits, might begin to request minimum-security requirements from those companies to whom they provide service.

Service-level agreements (SLAs) between companies sharing just-in-time programs, as an example, could potentially require each party to be a good netizen. While SLAs are wholly negotiable, sections of an agreement could stipulate that each party involved in a transaction maintain a predetermined level of security, such as a formal plan for patching, firewall maintenance, and other pertinent requirements.

The continued pervasiveness of the Internet in everyday business requires all users, both corporate and individual, to ensure that the medium is used in a highly respectful fashion.

SWOT: Strengths, Weaknesses, Opportunities, and Threats

An organization can effectively use its IT infrastructure to aid its competitive posture by ensuring that internal IT systems are integral and integrated components of its business. A well-constructed security policy can ensure that an organization can concentrate on its core business while reducing system-related distractions to a manageable minimum.

Strengths, weaknesses, opportunities, and threats—commonly referred to as SWOT—is a form of self-analysis that can aid an organization in establishing and continually reexamining its security posture.

Table 11-1 can act as a guide to SWOT analysis.

This section considers the four components of SWOT:

• Strengths

• Weaknesses

• Opportunities

• Threats

Strengths

Deriving a positive business case for network security requires organizations to determine the most fundamental elements of their operation and quantify, to the greatest extent possible, those soft elements that typically represent the difference between success and failure.

Incorporating enhanced security measures can allow organizations to concentrate on their core business. Mitigation tactics used to reduce the likelihood of security breaches can result in fewer distractions for company users, because the system will potentially suffer less downtime. Customers and suppliers alike can rely on the system’s consistency and, gaining ever more importance, the system’s trustworthiness.

Remote users of every kind, whether they are working from home in the evenings or sitting in a hotel room 2000 miles from the office, can access the corporate server with the same level of functionality, ease, confidence, and security as if they were sitting mere yards from the server.

Bringing the need for security directly to every employee through stated job requirements and ongoing dialogues, as discussed in Chapter 7, "Engaging the Corporation: Management and Employees,” allows every employee to fully comprehend what is at stake. The understanding, coupled with procedural guidance, allows users to proactively aid the organization in enhancing its security posture far beyond the scope of physical equipment. When users view themselves as integral to a process, human nature suggests that it is indicative of positive feelings they hold for both the functions and the overall goal. The end result is that they can feel a stronger connection to the organization, and positive morale could be an unexpected outcome.

An organization that enhances measures to protect its resources, both people and equipment, ensure that the attention of its users remains focused on the organization’s central concern: its business.

Questions the steering committee can pose to itself to aid in determining strengths are as follows:

• Is our enhanced security an advantage because it ensures that employees are focused on the core business?

• Is our enhanced security an advantage because we have developed stronger bonds with our customers and suppliers?

• Is our enhanced security an advantage because we can process purchase orders taken by our branch offices faster than our competitors?

• Is our enhanced security an advantage as a marketing tool?

• Is our enhanced security an advantage that is used by our sales staff, as a value-added tool, that addresses the corporation’s reliability and long-term commitment to promoting a safe environment in which to share information and conduct business?

Weaknesses

Every system has weaknesses, and instituting a program that continually attempts to identify and effectively address them can aid the organization in its quest for enhanced security.

While a business case attempts to identify the costs inherent in not implementing greater programs, it is important to recognize the total cost of ownership when developing system plans. From physical equipment to personnel training and product upgrades, the costs associated with enhancing security do not stop when equipment is installed on a network.

Equipment that analyzes network activity—whether appliances watch traffic as it flows across a wire or equipment acts as a filter, limiting destinations users can visit—inevitably introduces latency into a system. Time is measured in milliseconds, and while the latency is likely negligible for most users, all functions require certain time for execution; system latency is proportional to the functionality that is added.

Newly installed equipment might require training for the systems administrator and the requisite alternate administrator. Depending on the size of the organization, and the importance of the equipment, more than one alternate could be assigned. Certain equipment might even necessitate the hiring of specialized personnel, should they not already exist on staff. Also, the monitoring and maintenance of new equipment, in particular the work involved in analyzing log files, could result in greater work load for existing staff.

The security steering committee can pose the following questions to itself in an attempt to determine potential weaknesses:

• Are our users vigilant enough?

• Is our enhanced security so inflexible that we are removing potential efficiencies?

• Is the (present) lack of enhanced security known to customers, suppliers, staff, or even hackers?

• Is our lack of greater security negatively impacting our revenues?

• Is the company adequately insured against potential attacks? E-insurance can provide protection against viruses, unlawful system use, a DoS, and a variety of other potentially calamitous events. Network liability insurance is also available to contend with both external and internal threats. Insurance of this type could prove an opportunity for organizations, should they ever experience extensive damage as a result of an attack.

• Is the security implementation scalable, and can it grow with the business?

Opportunities

Building an enhanced network provides organizations with the ability to act. This is in stark contrast to the security position that many companies frequently find themselves in, which is one of reacting. Organizations have the opportunity to create an environment whereby employees become an integral part of the company’s defense strategy. Users help fortify the company by adhering to guidelines that govern network segments and physical security.

Enhanced security can be used as a selling tool by the sales and marketing departments in promotions that stress reliability, consistency, and trust. Should it become clear that immediate competitors have not implemented similar security postures, the organization’s adoption of an enhanced environment could be used as a differentiator when pursuing opportunities with customers.

Enhanced security measures could prove an ideal moment to renew SLAs with customers. If certain accounts are found to be lacking in their security postures, the discussion could be the impetus for those customers to follow a similar route in their own security development program. Regardless of the outcome, the resulting series of discussions would be perceived as adding value, which could serve to further solidify the relationship between the companies.

Questions the steering committee can pose to uncover opportunities include the following:

• Could greater opportunities be developed in the customer base, or would the ability to sign leading suppliers improve, with the establishment of enhanced security?

• Could greater sales be realized in the current customer base by enhancing security? Can sales personnel use the enhancement as a value-added tool that addresses potential reliability issues?

• Would certain costs decrease by implementing greater security? For example, physical property and receivables insurance could be reduced because of decreased vulnerability. If an organization uses SLAs to govern business relationships with its large customers, and security has been enhanced to ensure a safe and consistent flow of goods and funds, normal-level vulnerabilities that perpetually exist between partnered organizations would likely be reduced by tighter and more secure channels.

• Could the cost of doing business be reduced if enhanced security were put in place? Do identifiable areas exist where employees are manually overcompensating for lack of security?

• Can it be determined whether closest competitors have issues pertaining to their security postures? If it appears that one or more might have issues restarting operations after a widespread power outage, as an example, the organization’s sales and marketing group could promote its own consistent high level of security.

Threats

Threats come in many forms, many of which are not visible until they are actual events. Recognizing issues as potential threats is a proactive step organizations can take to determine their tolerance, or aversion, to certain threats. The proactive process allows organizations to determine appropriate courses of action.

Questions a steering committee can ponder when considering threats include the following:

• Does a particular response to potential threats, or lack thereof, leave the organization unduly vulnerable? Could under-security lead to possible legal implications?

• Are an organization’s electronic connections with its customers and suppliers well served and appropriately secured?

• Can the lack of enhancements negatively impact customer or supplier relationships?

• Can either customers or suppliers view immediate competitors as being better equipped?

• Could a serious breach (for example, system unavailability for 72 hours, loss of sales database, loss of backup, or infiltration of financials) severely threaten the organization?

• Is the organization suffering from higher levels of downtime compared to its competitors? Would less downtime result in greater concentration on the organization’s core business?

Performing an analysis of this type can highlight issues that need to be addressed immediately and determine a prudent course for long-range security planning. It can also create a greater sense of confidence, knowing that the organization is doing all it can to proactively protect its business.

The marketing department could also perform similar analyses on the company’s largest competitors.

Summary

Reviewing, renewing, and regenerating security fundamentals to ensure that they remain relevant are processes that serve all organizations. Given the litigious climate that exists today, assessing the potential for legal implications surrounding security can prove to be a prudent practice in which organizations can proactively engage.

Continual corporate self-examination of policies, practices, weaknesses, and threats can ensure that opportunities are recognized early in the business cycle, and effectively capitalized upon.

This chapter explored the following topics:

• The importance of a security wheel

• The relevance of scalability

• The implications of jurisprudence

• The necessity of a SWOT analysis

The Business Case for Network Security: Advocacy, Governance, and ROI presents technical terms and mitigation techniques in a format that is accessible to nontechnical corporate leaders. It provides executives with an extensive guide to securing the organization and a program to create effective security practices. It also explores the fundamental role employees can play in securing an organization. The book introduces IT executives to a program that can effectively garner support, build consensus, and rationalize ROI. It creates a financial model to address the subjective nature of security matters, effectively quantifying subjective organizational issues into concrete numbers that can assess individual risk.

Adherence to security policy fundamentals, coupled with a program that continually reviews and renews an organization’s security posture, can foster an environment that can effectively address any challenge an organization might encounter.

End Note

1. The Cisco Security Wheel, http://www.cisco.com/en/US/partner/products/sw/secursw/ps2113/products_maintenance_guide_chapter09186a008007d254.html#xtocid62413.