Creating an Updated Security Model


As a security professional, it's hard to stay on top of the most current issues, never mind even thinking about the future. In a previous post, I listed a few key security sites to use to help you stay current. Now that we have current information, how do we formulate a security plan that we can implement?


As part of its Security for Business Innovation Initiative, RSA recently released a report to help technology leaders create an updated information security model based on emerging opportunities, risks, and the direction in which information security is heading.


The report makes several recommendations for updating your information security model:


  1. Asset identification and management. How do you know what to protect if you don't know what you own?
  2. Your security organization should offer services. These services should include: risk assessment and compliance management, awareness and training, identity and access management.
  3. Embrace new technologies. Keep an eye on new technologies that can help the business and develop a security technology roadmap.
  4. Shift from protecting the container to protecting the data. I recommend that you still secure the physical device (server, laptop, mobile device), and in addition protect the data with encryption or data leak protection technology.
  5. Adopt advanced security monitoring techniques. RSA recommends blacklisting (blocking Internet sites) and whitelisting (limiting software from running). In addition, I recommend using an Intrusion Prevention System along with aggressive log monitoring.
  6. Get involved with setting industry standards. There are many opportunities to sit on standards boards and open source initiatives. If you have a complaint that standards and best practices just don't go far enough, put your time where your mouth is.
  7. Share risk intelligence. My personal recommendation is to join InfraGard, a partnership between private and public organizations and the U.S. Federal Bureau of Investigation. InfraGard members meet to share information and intelligence. The really great thing is that it's free to join.


I think the RSA report offers some great advice. These recommendations, coupled with your risk assessment, business roadmaps and blueprints, should carry your security organization forward for two to three years.