Security Framework

With so many aspects to consider for IT security, this framework is a very useful approach to analyze how well an organization is addressing overall IT security.  This framework breaks security into people, data, applications, and infrastructure.

PEOPLE- The focus on people looks at controlling and monitoring what information people can and do access.  User provisioning is one of the big considerations.  Does a user have appropriate access to the systems he or she need, and only the system he or she need?  In smaller organizations this is often handled without automation.  Requests come often through a service desk ticket by management or HR for a person in a particular role to be granted access to a specific set of applications.  The challenge with this method is human error.  With movement in an organization, it is easy to end up with a user who has access to systems to which he or she should not be authorized because changing their access was overlooked.  A more thorough method of managing this and more cost effective method in larger organizations is to use an identity and access management system.  This is a centralized engine that manages the user’s privileges rather than administrators changing access application by application.  SIEM (Security Information and Event Management) tools provide another key aspect of people security, because they can detect targeted attacks in early stages and minimize any damage by monitoring user activity and data access.

DATA – This focus on IT security looks at what controls an organization has in place that prevents users from accessing unauthorized data not through an application, but directly from a data repository.  One aspect of this is data masking.  This addresses whether or not an organization has taken sufficient measures to mask sensitive data when being used in a test scenarios.  Another aspect to the data area of security is having sufficient controls on structured and unstructured data so DBAs and other administrators are monitored  and limited to what information they can see.  SOX and PCI are two of the bigger drivers that dictate what controls need to be in place to protect sensitive data through direct data access.

APPLICATION – Securing applications means taking measures to ensure hackers cannot get to data they should not be able to access.  One of the more common examples is SQL injection where a hacker changes a query to retrieve information that the application developer did not intent for them to retrieve.  There are two common methods of addressing application security.  The more common of the two is through penetration testing where a pen testing tool will attack an application to see if it can get to unauthorized data.  Another method of addressing application security is using tools to scan source code to find poorly written code that can create security vulnerabilities in the compiled application.

INFRASTRUCTURE – As IT infrastructures are constantly changing, it is critical to have tools, policies, and procedures in place to keep the infrastructure secure.  One of the more common examples is uniform patch management.  Another example that falls in the category of infrastructure security is network management and monitoring.

Breaking IT security into these areas of people, data, application, and infrastructure can be a useful way to help ensure a more thorough assessment of an environment.