ANALYST REPORT: Managing IT Security Risk in a Dangerous World

Recent changes in the business, regulatory and IT environments are increasing the need for comprehensive, enterprisewide business continuity planning that includes IT practices and processes. Gartner has identified four pillars of enterprise IT security: Security Risk, Organisation, Policies and Architecture.

The consequences of less-than-perfect IT security are more serious than ever before. The havoc wreaked worldwide by the Nimda and SQL Slammer computer virus attacks highlights the existence of an increasingly effective underground society of hackers and confirms the need to build better defences against cyberattacks. The impact of these highly publicised attacks is, however, dwarfed by the business losses caused by internal security lapses. A series of financial reporting scandals involving high-profile enterprises demonstrates an urgent need for information security techniques that improve the trustworthiness of enterprise transactions and audit trails.

A series of legislative and regulatory initiatives - including the Graham-Leach-Bliley Financial Services Modernization Act, the Healthcare Information Portability and Accountability Act (HIPAA) and the European Data Privacy Directive - demands better execution in the areas of security and privacy, and raises the legal and financial stakes for enterprises that fail to meet their standards. These changes in the business, regulatory and IT environments also are increasing the need for comprehensive, enterprisewide business continuity planning that includes IT practices and processes.

Gartner has identified four pillars of enterprise IT security:

Security Risk, Organisation, Policies and Architecture

A key element of effective IT security risk management is to identify exposures and their potential costs so that security policies - and an overall security architecture - can be developed to minimise these exposures and costs. Security policies should also enable an enterprise to take the greatest amount of risk necessary to support business requirements. Although this planning and design work is essential, risk is not managed until security policies and architectures are implemented. Implementing a security architecture requires an effective security governance model. Enterprises must determine the aspects of security to be centralised, the implementation of regional or departmental aspects of security, the methods to obtain funding, and the ways IS organisations and business units will be accountable for security. The scope of planning and development in this area should include:

— Risk management — Regulatory issues — Confidentiality and intellectual property protection — Business application security — Security services and sourcing

Security Infrastructure

An enterprise's security infrastructure is made up of the tools, technologies and tactics that are deployed to protect the network perimeter and internal resources. Unfortunately, for the world's security administrators, each wave of new technology renders existing security architecture obsolete. PCs made the host-centric security model irrelevant, distributed applications running across local-area networks reset enterprise security and the inclusion of external networks in the enterprise topology did the same for client/server security. Java and network computing have placed even the applications running on enterprise networks beyond the control of security administrators. Mobile devices and wireless connections bypass firewalls and enable sensitive information to be accessed by devices clipped to employees' belts. Traditional security infrastructure focuses on hardening the perimeter, but internal resources are now increasingly exposed to external access by outward-facing applications. In this fast-changing environment, enterprises must have a hardened interior and a layered approach to security, with an infrastructure that includes:

— Firewalls — Intrusion detection and prevention — Antivirus protection and content filtering — Mobile and wireless security — Encryption — IT security management

Security Administration

Enterprises cannot realise satisfactory returns on their investment in security planning and policy development without effective execution and implementation. Sound security administration focuses on operational technologies and best practices that maintain secure access to applications and resources, and on ensuring the integrity of system definitions and configurations. The scope of security administration includes:

— Web services and public-key infrastructure — Vulnerability assessment — Security configuration and patch management — Identity and access management

Business Continuity Planning

Business continuity planning has evolved beyond its traditional focus on disaster recovery to include planning and design for IT and business process resilience. This evolution is driven, in part, by the growing linkage between IT and business processes as enterprises deploy more real-time, outward-facing applications that support critical business processes. Enterprises must implement comprehensive business continuity planning programs that address business recovery (that is, recovery of the workspace), business resumption planning (for key business processes), contingency planning and crisis/emergency management. Business continuity planning should be integrated into business processes and the IT life cycle, and address the following concerns:

— Business continuity planning strategies and best practices — Business continuity planning technology and tools — Business continuity planning services

Mark Nicolett is a Research Director at Gartner

For more Gartner research on Security, please visit gartner.com/security.

Join the newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Nicolett

Latest Videos

More videos

Blog Posts

Market Place