Integrated Security Solutions Highland Technology Services Inc.
What security is and isn’t • Security isn’t an appliance • Security isn’t an afterthought • Effective security requires a specific plan with specific goals and continued diligence • Security isn’t a template. Needs are individual and can vary greatly • Good security requires redundant controls on all fronts • Security requires both technical and procedural components to be effective • A security plan must be holistic with each piece working in concert to provide the utmost security with the least amount of inconvenience • Good Security relies on implicit denial; If it isn’t explicitly needed it is denied.
Barriers to Success • It’s time consuming • It’s resource intensive • It’s complex • But it’s necessary And Highland can help…
How do you achieve Good Security? • By creating a formal assessment to fully understand an organizations needs • By formulating a high level policy from that assessment and creating specific achievable goals to reach dictums of that policy • Create a stepwise implementation of solutions that effectively achieve the goals of an orgainzation’spolicy with the smallest inconvenience to users • Must be living.
The “Integrated” in Integrated Security Solutions Integrated has two meanings: • Security should be integral to the way an organization does its business. Every process, procedure, policy and function should be assessed for and have a security component. • Each piece of an organization’s environment should part of an integrated whole • Like pieces of a puzzle, unless they fit together, it isn’t a pretty picture. Keep in mind least privilege • Understand what the organization mission needs then design a secure way to meet those needs and deny everything else.
The “Security” in Integrated Security Solutions The operational security triple(CIA): • Confidentiality • Integrity • Availability
The “Solution” in Integrated Security Solutions • Security requires a deductive approach • Solutions require and inductive approach • Requires high level participation • Must address organization as a whole • Coordinated specific actions are taken to address needs and risk • A fundamental part of the way you do business
Step 1: Assessing your Environment and needs • Need/Risk Assessment • Cost/Benefit Analysis • Current state of affairs
Step 2: Security Policy • An underlying theme • Key personnel • Start closed and move to open • Each element of access should explain need • High level standards policies and procedures • Achievable timelines and goals • Accepted risk • Review and change management processes
Step 3: Implementing Security measures • Administrative controls • Standards, policies and procedures • Technical controls • Access controls, Authentication and Authorization, encryption, redundancy • Physical controls • Access controls, item destruction, HVAC
Step 4: Review • Scheduled periodic review • Change management • Metrics • Repeat
Notorious mistakes • Caught up in the newest technology • Security is not an appliance • Misconfiguration • A misconfigured firewall is a liability not an asset • Glaring holes • Only as strong as the weakest link • Piecemeal • Inconsistent implementation, exceptions to the rule, un-interoperable components • Disorganized • Inconvenient • Reactive
HTSI and Integrated Security Solutions • Security is our business • We’ve done this before and can demonstrate past performance • Work with what an organization got, to get them where you want to go • Solution oriented
Take Home Message • Security is not an afterthought • A supported security policy • Stepwise process to achieve the goals of that policy • Managing to specific need • Integrated proactive solution
Questions, Comments? Thank you Highland Technology Services Inc.