Top 12 High Priority Steps to Simplify and
increase the Effectiveness of your IT Security
Information Security and Your Business – A Brief for Executive Management
Business is about taking risk.
One of the many risks that every business faces is protecting its assets. Most businesses
understand how to identify, inventory and protect its physical, personnel and financial assets.
However, in today’s highly IT reliant businesses, to protect your revenues, reputation, and meet
regulatory requirements, it takes more.
Protecting information assets are another matter.
Digital information and electronic communications are relatively recent additions to many
businesses that have dramatically improved efficiency by automating record keeping, work
flows, and customer interactions. However, information assets were often relegated to IT
professionals and regarded as a technology concern vs. an executive management concern.
Today most businesses are custodians of regulated, confidential or sensitive information
provided to them by prospects, customers, business partners, suppliers, contractors, etc.
Unfortunately much of that information is not properly classified when it is acquired, not
properly protected in transit, not properly protected when stored (at rest) and not properly
destroyed when it is no longer required.
And while the management of most other business assets is clearly visible to and understood by
executive management, the management of information assets is not.
Customer trust, your reputation, your revenues and regulations
Customer trust is an essential prerequisite to business success. Your customers trust you with
their personal information and expect you to protect that information while it is in your
custody. So do your prospects, business partners, suppliers, etc. Your reputation depends on
earning that trust. So do your future revenues.
In addition, there are an increasing number of regulations that limit what information you can
collect, prescribe how to need to protect information in your custody, restrict how long you can
keep certain information and specify what you need to do in the event of a security breach.
Failure to comply with applicable regulations can result in significant fines or worse.
Clearly protection of confidential, sensitive or regulated information is not an IT responsibility –
it is an executive management responsibility.
Information security is about protecting the confidentiality, integrity and availability of the
information assets needed to run your business.
SAVANTURE © 2014
Page | 1
What can you do to protect your business?
This SAVANTURE executive brief is intended to:
o help business professionals like you to become better aware of information security risk
o provide you with a list of 12 actionable recommendations that you can follow to help to
reduce information security risks to your business.
The 12 actionable recommendations described on the pages that follow are:
1. Establish information security policy and procedures.
2. Conduct security awareness training.
3. Inventory all of your IT assets.
4. Identify your regulated, confidential or sensitive information.
5. Document information flows, prioritize risks and ensure controls.
6. Uniquely identify each user and require strong authentication.
7. Backup critical information and store your backups off-site.
8. Limit physical access to your IT systems and networks.
9. Install deny by default firewall protection at every Internet connection.
10. Don’t become your local neighborhood public wireless hot spot.
11. Protect every one of your computing devices and learn what normal looks like.
12. Detect and respond to security intrusions by engaging a trusted partner.
SAVANTURE © 2014
Page | 2
People
1. Establish information security policy and procedures.
Create and publish an information security policy that clearly states management
expectations of every employee and user of information technology.
This does not have to be overly complex. While aspirations for following international
industry standards like ISO27001/27002 are commendable, for a small to medium sized
business the reality is you should start with your highest risks and focus on addressing
those first. For example, prioritizing on key areas of concern to your customers or
where regulatory or contractual requirements are clearly stated.
For example,




Does your business accept credit cards, and do you have systems that store and
transmit credit card information?
 The payment card industry has a set of standards called Payment Card Industry
Data Security Standards (PCI-DSS) that every merchant is required to comply
with.
Do you collect and retain regulated information such as Social Security Number,
Driver’s License Number, Passport Number, Credit Card Numbers, etc.?
 Such information is now regulated by more than 45 states plus Guam, Puerto
Rico and DC, and each has different laws and requirements. Privacy laws are
consumer oriented, and thus they are regulated by where the consumer resides,
not where your business operates. If you have consumers in a large number of
states, you are subject to each state’s consumer privacy laws.
A good resource describing applicable state privacy laws is:
http://www.ncsl.org/research/telecommunications-and-informationtechnology/security-breach-notification-laws.aspx
Do you collect and retain other unregulated Personally Identifiable Information (PII),
which is data that includes the name of an individual plus other personal
information such as address, telephone number, email address, etc. If you maintain
an affinity or members program you almost certainly also retain PII.
Many other regulations may apply as well
http://www.savanture.com/vertical-market-solutions/small-and-medium-business/
Policies should be written in language that is understandable by every employee,
customer, business partner, supplier, contractor, etc. The objective of the policy is to
state management’s level of tolerance for information security risk and to make it clear
what is expected in terms of appropriate use, application of security controls, etc. If
needed outside help is available from SAVANTURE Consulting and others to assist
management in developing policies and procedures.
SAVANTURE © 2014
Page | 3
2. Conduct security awareness training.
Educate and train every employee and user of information technology regarding best
practices for secure computing and handling regulated, confidential or sensitive
information, and the penalties for failure to comply.
Some companies develop policies and procedures, and then put them on a bookshelf to
show prospective customers and auditors. Doing so accomplishes nothing. The purpose
policy is to state management intent and influence behavior by clearly setting what is
expected from every individual.
Security awareness training, like policies and procedures, should address the highest risk
areas first.
Start with the basics:



General security awareness training. Describe what types of information are
confidential or sensitive, appropriate use of company IT resources, things to avoid
such as visiting risky websites, clicking on unknown links, opening unknown email
attachments, reporting anomalous events, etc.
No Phishing. Phishing is the number one way for companies to be compromised
today. As such it is essential to emphasize to every employee that no reputable
business will ever ask for their user ID and password in an email message..
Specialty role training. Each person has a number of roles they perform in the
company. Making sure they understand the security ramifications of improperly
performing that role, relative to IT security, PII protection, meeting regulatory
requirements, how to handle a security incident, etc.
There are some excellent online education and training resources available and they are
a very cost-effective way to keep employees current and up to date with training.
Please contact SAVANTURE and we can provide more information.
Process
3. Inventory all of your IT assets.
Inventory all of your information technology assets including computers, smart phones,
servers, networks, Internet connections, outsourced IT contracts, cloud service providers,
maintenance agreements, software licenses and contracts, etc.
Many businesses today operate their information technology infrastructure using a
broad range of both business owned and personally owned computing devices. The
systems are not standardized, they span multiple generations of technology, and in
many cases are used for both business and personal tasks. Moreover there are multiple
network connections, license agreements, maintenance contracts, software packages,
etc., and a constant life cycle of equipment being decommissioned when new
SAVANTURE © 2014
Page | 4
equipment is purchased. And each of those systems may or may not contain sensitive
information in the event it is lost or stolen.




The first place to start is to create and inventory of all of the information technology
assets used in your business.
Doing so can help you determine how much you spend on information technology,
account for fixed asset depreciation and improve budget and capital replacement
planning.
The inventory should include computers, smart phones, servers, networks, Internet
connections, outsourced IT contracts, cloud service providers, maintenance
agreements, software licenses and contracts, etc.
Each of your IT assets needs be managed as an asset through its entire life cycle
from purchase to disposal.
If needed, outside help is available from SAVANTURE Consulting to assist.
4. Identify your regulated, confidential or sensitive information.
Identify and classify all of the regulated, confidential, sensitive information that your
business collects, creates, maintains or uses.
It is literally impossible to imagine a business that did not closely and accurately track its
financial assets, inventory assets, human resources, etc. And yet many businesses are at
least partially unaware of the regulated, confidential or sensitive information assets that
they create, collect, use, maintain, distribute, print, etc.


What regulated, confidential or sensitive information do you create or collect from
prospects, customers, business partners, suppliers, contractors, etc.?
 Regulated information includes social security numbers, driver’s license
numbers, passports, health care information, financial information, etc.
 Confidential or sensitive information includes anything that you are
contractually obligated to protect or information that would damage your
company if it were disclosed such as intellectual property, trade secrets,
compensation information, etc.
Make executive decisions as to whether or not you really need to collect and
maintain the regulated, confidential or sensitive information that you find.
 The least expensive way to secure information is to not have it in the first
place -- “You can’t lose what you don’t have.”
SAVANTURE © 2014
Page | 5
5. Document information flows, prioritize risks and ensure controls.
Document information flows to identify and properly classify regulated, confidential or
sensitive information at the point where it is created or acquired, and to ensure that
appropriate controls are in place to protect that information in transit and at rest, and
securely delete that information when it is no longer necessary to maintain.
For the regulated, confidential or sensitive information that you find and determine to
be essential to your business, designate a business owner for each type of information
(NOT the IT function), and document the entire life cycle that the information follows in
your business from creation to destruction including the controls in place.





Every collection of regulated, confidential or sensitive information must have a
designated data owner responsible to establishing the degree to which the
information must be protected and deciding who is allowed to see, change or
destroy the information.
Prioritize potential risks to confidentiality, integrity and availability based on
whether the information is regulated, confidential or sensitive and whether the
current controls are adequate and appropriate.
Develop an information security action plan that addresses the highest potential
risks first and holds data owners and data custodians accountable for its completion.
 The IT function is responsible for being data custodian of digital information
while it is in your possession and applying the appropriate technical controls
to limit access to authorized personnel.
 Business functions must take custodial responsibility for insuring that similar
controls are applied to paper and other non-digital copies of the information.
Make tracking and reporting on the information security action plan a regular item
on the executive management agenda.
Regularly audit information security progress against plan as part of audit program.
6. Uniquely identify each user and require strong authentication.
Establish a unique user ID with a strong password or multi-factor authentication for each
user, and restrict each account to the minimum privileges necessary to accomplish that
particular job function, and nothing more.
Accountability means that actions can be attributed to a single individual. If multiple
employees share one user ID and password there is no accountability.



Every employee or user of your computer systems needs to have a unique user ID
that is associated with that individual and only that individual.
That unique user ID needs to be authenticated using a strong (not easily guessed)
password and/or multiple factors of authentication such as a one-time password
using a smartphone.
Each user of your computer systems should be limited to the minimum set of access
and privileges necessary to perform their job functions – and nothing more.
SAVANTURE © 2014
Page | 6

All user access should be logged and the logs should be regularly reviewed for signs
of anomalous behavior or security intrusions. More on how to do this in #12.
Should you need assistance with multifactor authentication, you can read more at:
http://www.savanture.com/product-solutions/authentication-management/
7. Backup critical information and store your backups off-site.
Backup critical information files on a regular basis and securely store backups either offsite or in the cloud.
A sign in a dentist’s office states that “you don’t need to floss all of your teeth, only the
ones you want to keep.” The same applies to backups. If a file is critical it is not a
matter of if it will ever be unintentionally damaged or destroyed – it is just a matter of
when.


All critical files should be backed up on a regular basis as frequently as needed to
meet your customer service level objectives.
 Frequency of backups determines your recovery point objective, which is
how far back you can afford to go in restoring a file. If you back up once a
month, and there is a failure, you might need to go back to information from
a month ago to resume business. If you back up weekly you will never need
to go back more than a week. If you back up daily you will never need to go
back more than a day. It is really a business decision on your part.
While it is convenient to store your backups near your computer, if the building is
destroyed in a fire so are your backups. You really need to keep backups in a secure
offsite location. Use of a secure cloud based backup service is also a viable option.
8. Limit physical access to your IT systems and networks.
Limit physical access to your computer systems and wiring closets and restrict
administrative access to trusted IT staff and key personnel with appropriate logging.
If you have the most secure computers and networks in the world, and someone can
walk into your server room and walk out with your computers the game is over.
Physical security is as important as and complementary to information security.



Limit physical access to your computer systems and wiring closets at all times.
Restrict access to trusted IT staff and key personnel only.
Maintain logs of physical access and the reason for access.
Technology
9. Install deny by default firewall protection at every Internet connection.
SAVANTURE © 2014
Page | 7
Install and use deny by default firewall protection at every external Internet connection
and on every one of your systems that connects to the Internet.
The Internet is a very hostile place. At every moment there both criminals and
automated systems scanning and trying to connect with any open computer they can
find. You lock your doors from the outside. Why wouldn’t you lock access to your
networks and computers in the same way?




Install and operate a deny by default firewall at every point where one of your
networks or computers attaches to the Internet.
Deny by default in this case means than an outside person or computer cannot
initiate a connection to your computer unless that connection is initiated by you.
Most routers include a hardware deny by default firewall as a standard feature.
Portable computers should also use a software firewall (which comes with most
operating systems) for protection when connecting to external networks directly.
10. Don’t become your local neighborhood public wireless hot spot.
Implement WPA2 protection on every wireless router and wireless access point, restrict
wireless access to your organization, and immediately change the default administrative
password on every one of your network devices.
Just about every business today uses 802.11 wireless network to provide network access
to their organization. However, your wireless network does not stop at the walls of your
building and can be seen from outside. And when Internet traffic comes from your
wireless network it looks like it is coming from you – including illicit and illegal activities.



Follow the documentation that came with your wireless router or wireless access
point and turn on WPA2 wireless protection and use a strong password.
Limit access to your employees and guests by restricting who knows the password
and change the password periodically.
Also, when you get a new router, wireless access point or any type of network
equipment immediately change the default administrative password to something
known only to you.
11. Protect every one of your computing devices and learn what normal looks like.
Protect every computer system in the enterprise by maintaining patch levels, use
endpoint security protection software, log all activity and establish a baseline of what
normal looks like.
Every device in your computing environment (desktop, laptop, tablet, smart phone,
server, network device, etc.) is part of the “attack surface” that criminals try to attack.
We need to protect all of them. The criminal just needs to find one weakness to exploit.

Maintain operating system and application software patches on every computer
system in your environment. Vulnerabilities in software are discovered after it is
SAVANTURE © 2014
Page | 8


released and patches correct those vulnerabilities. Unpatched computer systems
are a major point of exploitation for criminals.
Use endpoint protection software on every computer device in your environment.
Endpoint protection used to mean anti-virus software that protected against known
signatures of malicious software. Newer endpoint protection software goes further
and can detect malicious behavior before there is even a signature. Please contact
SAVANTURE if you want to learn more about such endpoint protection.
Log all activity in your computing environment and regularly aggregate and review
the logs to establish a baseline of that is normal and to highlight abnormal activity.
SAVANTURE can very cost effectively assist you in managing your logs and learning
what is normal for you.
12. Detect and respond to security intrusions by engaging a trusted partner.
Detect and respond to anomalous network activity quickly and cost-effectively by
engaging a trusted security partner like SAVANTURE to monitor your environment
7x24x365, separate false alarms from real intrusions, and assist you with incident
response if and when necessary.
Bad things happen on the Internet 7x24x365. Unless you power off your computers and
networks every night when you leave, security events can occur when you are not there.
You engage a home security company to monitor the doors and windows of your home.
SAVANTURE watches the Internet and the networks of our customers around the clock.
We also can separate false alarms from real security events, and can assist with closing
security events when they occur.
We hope that you found this information to be useful and welcome your comments and
feedback.
And we would welcome the opportunity to help you to better protect your business.
We are SAVANTURE. We can help.
[email protected] or at +1.703.863.8568
SAVANTURE © 2014
Page | 9