Anyone looking for an industry-standard information systems security planning checklist is likely to come up empty-handed. "The reason for this is very simple," said security expert Michael Mychalczuk. IT technology is used by a huge number of industries, all of which have varying levels of information security requirements. So, one checklist can't be a standard for everyone, explained Mychalczuk, a product manager for NetIQ, San Jose, Calif.-based e-business infrastructure management and intelligence software vendor.
That rationale is cold comfort for IT managers building new or revamping old security plans. Recognizing the need for a generic security guide, Mychalczuk offered this Top 10 list of security planning to-do items.
1. Research the industry for which your company is in. Identify if there are any security and auditing regulations that are either imposed through legislation or an industry standards body. If so, obtain copies of those documents.
2. Download the SANS Institute top 20 security threats.
3. Download updated lists from all OS and application vendors your company uses that outline what the most current patches, hot fixes, service packs, etc are available.
4. Reconcile the SANS top 20 security threats with whatever standards/regulations may be appropriate to your industry.
5. Identify all the resources in your environment. Know who uses them, what's on them, and rank them in an order of criticality on a scale of 1 to 5 with 1 being least critical and 5 being most critical. Then, ask the information stakeholders to identify the information they use and to rank it from 1 - 5 on the same scale. If you can do this in your organization, ask your management, and the management of the information stakeholders to do the ranking as well. Take an average of the rankings and you have a way of identifying the most critical resources in the environment.
"There are very complex methodologies that can be implemented to reflect this ranking even more accurately than the steps outlined above," said Mychalczuk. "What is outlined above is best akin to a sample poll that you would see on the evening news on a given subject. However, it's better than nothing."
6. Perform a vulnerability analysis scan of your environment in the order identified in step 5. Take the results of that scan and reconcile it with the information obtained in steps 1 to 3.
7. Re-mediate the outstanding issues that exist in the order you developed in step 5.
8. Identify areas of any regulatory or industry requirements identified in steps 1 and 4 that were not addressed in step 7.
9. Re-mediate those outstanding issues.
10. Implement a plan to maintain the state that you are now in. You've gotten secure, now you must stay secure, and that's a process that doesn't end. Here you need to use tools that are targeted to assisting you in accomplishing this goal.
Whenever you are selecting tools for implementation, said Mychalczuk, ask: "What step do these tools support in keeping my company secure and compliant?" Unless the answer is clear cut and straightforward, then you should question the tool.
"Remember the tools accentuate the process and make the process manageable and practical," Mychalczuk concluded. "You cannot abdicate to tools, otherwise you spend a lot of money for little return."