Information Security Infrastructure: Assessing and analyzing

The project scope is to perform a security assessment of the current environment of MBE including the major business processes, operating functions, organizational units and information systems and a thorough evaluation of the configuration and design of the existing network and systems infrastructure and main servers. Based on the assessment, need to define and implement the desired Information security architecture which protects the information base and aligns with the business processes.

Project execution milestones:

1. Study the existing Setup and Develop AS-IS document and Critical Success Factors
2. Analyze the AS-IS Study and design the TO-BE environment
3. Procure required Hardware and Software and implement for Test Environment
4. Analyze the TO-BE environment and realize the achievements based on Critical Success Factor
5. Conference room Pilot setup and demonstration
6. Project Go Live and monitor the environment. Reconfigure for betterment and performance issue
7. Project Roll-over to all sites

(Read more:  My Key Learning While Implementing Database Security)

[AS-IS] critical security elements:

• Sensitivity of information assets and their threats
• Security strategy, program and management system in place including policies and procedures
• User identity and logical accesses management (identification and authentication mechanisms, procedures for creating, modifying and deleting systems / application accounts and profiles, and account naming conventions);
• Security administration and monitoring
• User awareness, Password Change & Reset procedure
• Password policy (syntax rules, expiration, password history etc.)
• Security controls in Applications/Systems Development & Change processes
• Information and user Classification
• Backup Media Handling and Management
• Physical and environmental security
• Host, application, network and systems and database security
• Workstation and End User Computing Security measures
• Perimeter and remote access security
• Business continuity and contingency planning


[TO-BE] critical security elements:

• Conducted interviews with key staff and decision makers
• Organized workshops during which high level impact assessment was performed, general policy requirements was discussed and strategy was finalized
• Discussed, modified and defined information security management structure, security policy and development process
• Identified and evaluated current policies and standards
• Mapped overall security policy requirements to current security policies
• Performed gap analysis to identify where new policies are required and where existing policies and standards are no longer valid
• Provided recommendations and training regarding the methodology to be used in future to maintain the security policy in a dynamic environment

(Read more: How effective is your SIEM Implementation?)

Solution implemented: 

MBE’s total information base is segregated into broader perspective i.e. Engineering Database, Commercial Data Management, Project Management, Document Management and Mailing System.

While designing, Security aspects considered:

• Network security
• Host and database security
• Internet systems and services
• Intranet systems and services
• E-mail and messaging services
• Web browsing services
• Portal services and systems
• FTP services
• Remote access services
• Intrusion Detection System through Firewall
• Security Monitoring, logging and Management systems
• Security filters and controls on the network boundaries
• Wireless networks [BYOD was not considered because except Mail, no application is available on mobile devices]
• Identification / Authentication mechanisms for Network, Applications and Systems [Single Sign-on applicable for partial application only]
• User identity and, Logical access Management (procedures for creating, modifying and deleting systems / applications accounts and profile, password procedures and policy implementation)
• Backup Media Handling and Management
• Workstation and End User Computing Security
• Physical and environmental security
• Any other Internet or non-Internet based area

Based on the security aspects mentioned above, following activities were performed

• Reconfigured network, system, application and information requirements (including authentication, authorization, integrity and confidentiality)
• Reconfigured / implemented non functional requirements (including performance, capacity, redundancy)
• Designed and implemented architecture model (including Identity management, Access control, information flow controls, network segregation and zoning, naming and IP numbering schemes / strategy, credential repository, auditing, etc).
• Designed and implemented system monitoring and management architecture

Control Mechanism:

• Inventory of Authorized and Unauthorized Devices: Restrict use of unauthorized devices
• Inventory of Authorized and Unauthorized Software: Restrict implementation & use of unauthorized software
• Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Continuous Vulnerability Assessment and Remediation
• Malware Defenses
• Application Software Security
• Wireless Device Control
• Data Recovery Capability
• Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Limitation and Control of Network Ports, Protocols, and Services
• Controlled Use of Administrative Privileges
• Maintenance, Monitoring, and Analysis of Audit Logs
• Data Loss Prevention [ Implemented but withdrawn recently because of its performance issue]
• Incident Response and Management
• Secure Network Engineering

The hit rate of attack vectors has come down drastically. Around 78% of attack volume is decreased.

(Read more:  Database Security Vendor Evaluation Guide)

Learning:

The lessons we had learnt, are enlisted below for reader’s future reference.

A. Identification of Information Type and Security requirements for each type of Information. The main objective is to have a classification of Information and originating source. This will give us clear guidelines to implement a solution.

B. Knowledge gathering: We have two major sources from where we can gather information and enrich our knowledge from Libraries/Internet and vendors.

C. Product Evaluation: The most important part is to evaluate a product. There are so many products available in the market but selecting a product which one will suite better and economically viable, is a challenge. POC is not only the solution because POC took place with a test environment which may not cover all types of issues. Points to consider:
a. Well defined RFQ in place
b. Product Manufacturing detail and their R & D roadmap shall be analyzed
c. Gap analysis of Product shall be furnished
d. Work-around for the gaps shall be demonstrated by the vendors
e. Scope of Customization shall be available
f. Supports of product including Customization shall be available
g. Availability of Technical Staff
h. Cost of Ownership including recurring cost, if any, shall be minimized
i. Scope for Version Upgrade shall be available and shall not override the customization portion
j. Past performance of Product and support shall be reviewed
k. POC with maximum data shall be evaluated to ensure performance issue
[It was observed that after installing one DLP (End Point) with very minimum rules, we observe that the performance become shows stopper (installed only800+ users). It was so bad that the operation of each PC got stacked. We observe that file sharing also stopped within a network, Network bandwidth badly chocked. POC was done for 300+ users where it was working fine].

D. Vendor Evaluation: A good quality product may fail to perform if not implemented or configured properly. Implementation partner or vendor plays a major role in this area. Points to consider:
a. On-time delivery
b. Quality of Technical Stuff / Implementer
c. Product functionality and performance
d. Cost of Ownership
e. Facility and Technology
f. Responsiveness to Customer needs
g. Professionalism of salespersons
h. Quality of relationships with vendor
i. Local presence 


-With Pulak Tarafder, A V P (IT), McNally Bharat Engineering Ltd. on Assessing and analyzing Information Security Infrastructure

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)