In the past year there have been a number of well publicized large scale data breaches of large enterprises. Most recently the Sony breach has been dominating the news. There are articles that say in 2007, Sony’s executive director of information security said that he wasn’t willing to put up a lot of money to defend the company’s sensitive information and that he also talked about how he convinced a security auditor, a year before in 2006, that the company’s use of very weak passwords wasn’t such a big deal.
Another well publicized breach took place at Home Depot. There are articles that indicate Home Depot knew there were additional steps that they could take to secure the POS systems and had put together a budget to do so, but the decision to spend the money had been deferred.
All of this begs the question, what should an enterprise level organization do to protect itself from a large scale breach?
In my opinion, enterprises should start with a comprehensive security plan that addresses a wide range of issues that includes Human Resources, physical security of the facilities, development, operations, and all change management. Risks should be identified, assessed, and tracked over time.
A good place to start is with the ISO 27002, titled Information technology – Security techniques – Code of practice for information security management. This standard covers a wide range of controls. In the hands of an experienced assessor this provides a good framework to identify areas that need attention and improvement. Depending on the business other standard will also need to applied. For example if the enterprise interacts with any credit card data then PCI-DSS compliance must also be performed. Enterprises handling health care data will also need to address the HIPAA/HiTech requirements. But even for enterprises that does need to conform to PCI-DSS or HIPAA, ISO 27002 should not be ignored.
It is possible to take these standards and seek to achieve minimal compliance, which will do little to actually mitigate the risks. Again, there are indications that this may be the path that Sony took. On the other hand if the enterprise takes risk analysis seriously, these standards provide a good framework for identifying where an enterprise should be investing its efforts.
A key point is to perform good risk identification, analysis, and tracking. If an enterprise’s risk analysis can clearly explain to senior management that remediating an issue will cost $25 million, but the cost of breach through that system will cost more than $250 million, and there is a high likelihood that an attacker can successfully breach the system within the next year, most enterprises will make the correct decision.
Performing good risk identification and analysis requires experienced people with a good insight into the enterprise, IT security, and the ability to communicate with senior management. It is a team effort, requiring broad engagement with the stakeholders, and is an ongoing process.