A couple of weeks ago, we identified 10 key information security and compliance concerns for 2010. Developing a comprehensive information security program that addresses how to manage each of these considerations is paramount to ensuring the integrity of your business’ data and the compliance of your organization.

Establishing a program to protect against these vulnerabilities can be daunting, but these steps are a great way to start.

1. Plan for Pandemic Continuity. Planning for an epidemic is very different from typical business continuity or technical recovery planning exercises. To understand how a pandemic could affect your business, conduct an abbreviated Impact Analysis focused primarily on people, not process or business function. The rule of thumb is that companies should plan for up to 50 percent staff absences for periods of about two weeks, and lower levels of staff absences for a few weeks on either side of that peak.

Overall, a pandemic wave could last about eight weeks. During that time, personal illness is not the only factor that could keep workers at home. The illness of family members, as well as an increased sense of safety at one’s home might also lead to employee absences.

Other areas of the business can also be affected. For example, shipments of materials might be delayed, or the availability of services from sub-contractors disrupted. Include strategies on how to cope with these factors in your plan.

2. Expect Malware Variants. The repercussions of a malware attack on your networks, key business applications, phone or e-mail systems could be catastrophic. Communication with customers and key business partners could be severed, and the integrity of sensitive data compromised.

The key first step in a Malware Defense Architecture is a robust patch and vulnerability management program. Identify all potential malicious code entry points, including browser attacks, free Internet and e-mail accounts, remote users, instant and test messaging, etc., and determine what type of protection will be used for each.

Secondly, conduct an IT penetration analysis to test your platforms. This type of assessment will identify weaknesses, helping you improve network security and survivability; enhance the security of critical systems; evaluate incident detection methods; and verify your incident response effectiveness.

Finally, conduct e-mail “social engineering” tests to ascertain your employees’ awareness of these threats.

3. Monitor Social Networking & Web 2.0. Social networking and Web 2.0 technologies represent a new and quickly evolving attack vector. Unfortunately, the tools needed to address them are not yet satisfying. As a result, companies should assess the true business value associated with these tools and, wherever possible, block or limit access to them until effective protective technologies progress.

As these tools become more integrated into business processes, mid- or long-term blocking strategies might not be realistic. Identifying the Web 2.0 technologies your business truly needs is the first step in strategizing and developing a proper defense.

4. Re-Architect the Technical Security Perimeter. Internal data loss prevention technologies are an integral part of a “layered approach” to information security. Once you’ve decided to deploy data leakage tools, you should communicate to your employees what you are monitoring and why. In general, data leakage tools can be implemented without technical issues. However, the issues around employees are often far more daunting to address. Finding the appropriate level of employee trust is more often the key determinant in a successful data leakage implementation than picking the technology itself.

5. Re-Evaluate Incident Response. Businesses should have a realistic incident response plan ready in the event of data breaches, disasters or other security incidents. Such a plan should take into account the following considerations:

• Compliance to Laws and Regulations - An unintended release of personal or private information now requires compulsory actions in almost all circumstances.
  
• Malicious Incident or Infection - Unauthorized users or tools gaining access or root privileges to your system.
  
• Denial of Service - An attack seeking to deny access to or use of your services, applications, or systems.
  
• Employee Abuse – Activities, including misuse of resources, abuse of system administrator privileges, sabotage, stolen passwords, use of unauthorized software, viewing pornography, attacking other systems, theft of services, etc.
  
• Pandemic or Business Continuity - Time-critical activities related to the execution of disaster recovery or business continuity plans.

6. Secure Mobile Devices. When insufficiently secured, employees’ mobile devices can open up a business’ network and assets to attack. Fortunately, there are simple protections that can decrease the chance of misuse.

Start by installing an antivirus and personal firewall on employee devices to protect them from viruses that could make their way onto the network. In addition, install password locking, if not data-level encryption, on all devices that can access sensitive data.

7. Defend Against Social Engineering. Defending against social engineering threats such as phishing or pharming is very difficult. Because the nature of social engineering attacks is against the human element, most logical controls are usurped. Therefore, heavy emphasis must be placed on the administrative and educational portions of information security.

The first step is to test the riskiness of employee behavior through routine social engineering engagements. Make this a routine activity that is integrated into the culture of the organization. Over time, the employees will learn to identify and resolve behavior-based vulnerabilities on their own.

8. Implement Cryptographic Key Management (CKM). Managing all the cryptographic keys that have been created to protect confidential data is a security challenge in itself. With improper key management, encryption can become ineffective.

CKM first needs to be handled through an overall framework. This key management framework is a basic conceptual structure used to specify the high-level issues and requirements for secure key management, and will be the initial product of the CKM workshop. The framework will provide a structure for defining key management architectures from which key management systems can be built.

9. Verify Virtual Machine (VM) Security. As virtualization technologies become more widespread, so, too, has concern over the associated vulnerabilities. When approaching VM security, keep these points in mind. First, virtual machines can have all the same security threats as traditional operating systems and physical servers. Second, VM software is very powerful, can “spawn” quickly, and can be allowed to consume resources and allow for excessive access. Considerations should be made to carefully deploy, isolate, and limit VM access and powers.

10. “Prove” Appropriate Levels of Deployed Security. Developing a comprehensive information security program is further complicated by outsourcing. Organizations that outsource to third parties must establish a rigorous and reliable approach to evaluating their risks. For service providers or regulated entities, industry standard reporting processes such as the Shared Assessment Program for Financial Institutions are available to prove out their programs in a consumable and trustworthy format. For businesses consuming these services, knowledge of the providers’ security is paramount to a successful security policy and relationship.

Your information security and compliance strategy for 2010 should address these issues, as well as any others specific to your business or industry. Although budgets will likely continue to be tight in the New Year, security is not an area in which you can afford to cut corners. Following these steps will put you on the right track to assuring your company and its sensitive information are secure and well-protected to make it through another year.