There are five pillars to an IT security operation: policy and audit management, access management, infrastructure...
and hardware security, software and application security, and incident response.
Ideally, each of these functions -- individually or in combinations -- should be handled by its own team, each with its own manager or director reporting directly to a chief information security officer (CISO), for example. But midmarket companies don't have that luxury. Instead, they have to work with their existing staff members -- who, often, are already wearing multiple hats -- to cover each of these functions.
Moreover, the person responsible for IT security governance in a midmarket company may not be a CISO, either. It could be the CIO or some other C-level executive who is already wearing multiple hats. Even if your company outsources information security functions to a third party, like a managed security service provider (MSSP), you still need a single point of contact for IT security -- even if all that person does is act as a liaison to the MSSP.
So let's take a look at each of these functions separately and see how they could best be managed and then how best to organize your team to handle these duties.
Policy and audit management
Policy and audit management covers the drafting of information security policies and responds to auditors, both internal and external, also known as regulators. Large organizations may have dedicated staff to spare to write, maintain, update and distribute information security policies, which govern the entire direction of a company's IT security effort. At the same time, auditors and regulators will want a single point of contact in an organization responsible to responding to their requests or for producing reports required for compliance with appropriate legislation.
Though this function is important as an overall guide to information security procedures, it isn't necessarily a daily activity in a smaller company. IT security policies and procedures may be drafted once and then updated only annually. They might need to be changed off schedule only when there are major personnel or system changes.
A bare-bones basic policy covers, among other things, acceptable use of systems, allowed devices, data ownership, classification and protection procedures, and responsibilities for system maintenance. A single person on your IT team can be responsible for drafting and updating the security policy. This isn't a full-time job.
That person can also support the executive or manager who acts as a liaison to outside regulators. That executive or manager doesn't even have to be an IT person. IT security controls are only one part of what regulators review. Regulators are industry-specific -- there's the Sarbanes-Oxley Act for publicly held companies, the Health Insurance Portability and Accountability Act for medical companies and the Federal Financial Institutions Examination Council for financial institutions, for example. The IT person lower on the food chain can provide the liaison with whatever information he or she needs at the time for the regulators.
Access management, infrastructure and hardware security
Access management, infrastructure and hardware security are often intertwined. These tasks include not only setting up and maintaining user IDs and passwords -- in the case of access management -- but also installing antimalware software and patches on those same boxes.
Large organizations can afford to have two separate teams, one dedicated to maintaining hardware -- desktops, workstations, servers and firewalls -- and the other overseeing access management. Midmarket companies, on the other hand, don't have a help desk for just resetting passwords. Often the same people setting up user access are installing upgrades, patches and antivirus software at the same time.
Fortunately, access management is already part of the job description of IT staff members who maintain the networks at smaller shops. For the midmarket company without the staff for a dedicated access management team, it's best to keep these functions together. In addition, these people are probably already managing your firewalls and intrusion detection systems, which are part of your security hardware suite.
Software and application security
Software and application security is a bit tricky for midmarket companies. When what little IT staff you have is tied up with daily tasks like network maintenance and access management, it's difficult to review applications for security holes. And it's even more difficult to keep up with the vulnerabilities that may crop up in software purchased from vendors.
A good approach for a midmarket company is to either purchase tools available on the market for scanning software or to contract with an outside vendor to conduct regular scans. Tools like WebInspect from Hewlett-Packard Co. and products from Watchfire Corp. can automate Web site security checks; Ounce Labs Inc. and Fortify Software Inc. offer other software products geared for the midmarket.
Finally, incident response is another crucial function. Incident response teams are like police and firemen: You call them only when they're needed. The problem is that, also like police and fire departments, they always have to be staffed and ready for an emergency. That's why you must have an incident response plan. The basics include an on-call rotation schedule for a single point of contact, members of the team to be summoned for emergencies and procedures for how to handle common situations like virus and hacker attacks.
Now, it might seem IT security is just being dumped on already overworked IT staff members. And, ultimately, they're the ones who carry the security burden. But the best way to keep sanity among your IT staff members is to prioritize security duties. Your staff is already tuning desktops, servers and firewalls as part of its routine duties, and access management is usually part of those daily chores.
After access management and hardware security, everything else is only a part-time job. Of course, an incident response team has to always be ready. But, here again, password resets will probably be more frequent than intrusions. This isn't meant to lessen the importance of having an information security policy or of scanning your software. It just means these aren't day-to-day responsibilities requiring a dedicated staff.
However you deploy the troops, it's important to remember: Even if you outsource to an MSSP, you'll still need a single point of contact to oversee whatever form your IT security operation takes. Whomever that person is, whether from IT or not, he or she will ultimately be the one held accountable for security.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.