Should organizations implement layered defenses from different vendors? Should we rely upon a single vendor for an organization’s overall security?
According to a Gartner research paper, “Two firewall platforms are not better than one. We believe there is a higher risk associated with configuring and managing firewalls from multiple vendors than from a single vendor. Therefore, Gartner advises enterprises that have more than one firewall to standardize on a single vendor platform when the opportunity presents itself (that is, new installations or replacement during a refresh). In choosing a standard firewall, enterprises should consider the experience of their firewall administrators with each platform, scalability, central management and cost. ” (Young & Pescatore, 2008)
It also says that a firewall misconfiguration causes more than 99% of firewall breaches; not firewall flaws. It is true that debugging an error in any new appliance or tool can be cumbersome and time-consuming. Moreover, narrowing down to a single vendor relationship could help with greater discounts with less administration overhead.
However, there are situations where an enterprise could be stuck with a solution for long without much help to upgrade unless the enterprise pays almost the cost of a new solution and the extra cost of migrating to it. Sometimes it is better to diversify, especially when the industry is drastically changing and not all vendors address all issues with the changes. Continue reading “Best of Breed or Best Suite of Products”
Is it important to account for or acknowledge risks that may not apply to an organization or system? What if you identified a risk that you would typically consider for but would not use due because of the context. Say, for example, your organization is not in a floodplain however it is usual to consider for the flood risk for all locations of your organization. What if you have validated with FEMA 100 Year Flood Zones that the total risk facing the organization is very low since it is not in a location that requires flood insurance? Do you still need to acknowledge the possibility of the threat occurring?
I believe it is essential to acknowledge the risk. We need to document it as very low risk, and very minimum safeguards are required as part of risk assessment. The building code of the location would define minimum safeguard. However, there could be situations where the asset value of the site is very high that you cannot ignore the risk altogether. Say the location is the primary data center for the organization. In such situations, the organization must implement all appropriate controls required to protect from the flood. The assessment needs to be revisited periodically to determine if the risk is significant or not at that time. Each evaluation must be based on current facts and numbers at the time. Continue reading “Acknowledging Non-Applicable Threats”
Information security is both a management issue and a technology issue.
The management of an institution could be the owner or custodian of the data that their information security program is trying to protect. They need to ensure that the systems they employ execute all the functions on the data as they are supposed to while ensuring the data is not leaked to unauthorized personnel. “Primary mission of an information security program is to ensure information assets-information and the systems that house them-remain safe and useful” (Whitman & Mattord, 2014)
Management is responsible for the reputation of the business, it’s proper functioning, the data it holds, and safeguarding the technology it uses. However, all these could be impacted if the technology that they deploy do not meet the requirements – functional as well as non-functional. Technology is only a tool that facilitates proper function of the business providing value to its customer and keeping track of all its transaction. Technology must be configured in such a way that the data that the business holds is protected while in transit, at rest and in process. Continue reading “Roles of Management and Technology in InfoSec”