the cycle all over.

The regulatory climate adds to business risk, because public companies such as Intel must comply with the Sarbanes-Oxley Act as well as California’s database breach disclosure law. Such regulations can pull security budget dollars away from areas that the company may want to protect by forcing them to instead spend money on areas they are legally bound to protect, Sparks says.

What results is a balancing act, in which the company must weigh its need to provide authorized access to data on one side vs. the need to protect its assets on the other.“What you really want to do is research your requirements, your needs and what you’re trying to protect and put the greatest effort into that,” Sparks says. Companies must be mindful, however, that if they err too far on the side of caution, they may limit the usefulness of their most important asset: their

data. If employees who need data can’t get at it, the data does the organization no good.

With its huge constituency of users to think about, as well as significant legal requirements to meet, Intel tends to fall just to the conservative side of the equation, Sparks says. The idea is to keep information assets reasonably protected, and to keep legal, but still allow information to be available to those who need it.

A 4-pronged approach

Once you determine where you want to fall on the security spectrum, the next step is to implement a layered approach to ensure proper protection. Intel came up with four layers: Policy; training and education; technology and testing; monitoring and enforcement.

In terms of policies, they must be formulated such that they mesh with business goals, which means management has to be involved in the process. The legal

department likewise has a say in terms of what regulatory issues must be dealt with.

The next step is to publicize the policies and to train users on what is expected of them. “Set the expectations, document the expectations and make sure that your employees or others who handle data realize they’re accountable for the protection of that data,” Sparks says.“If your HR people don’t know they need to protect your personal data, how are they going to do the right thing?” Training is also the only way to educate employees about social engineering and phishing attacks.

Training can take many forms and must be constantly reinforced. Intel uses its company newsletter to reinforce the policy message, recounting examples of when security breaks down and the damage it can cause. It also has a series of posters with security reminders that it posts in public areas.

When it comes time to implement technology to help provide security, Intel strives for efficiency in terms of the dollars it spends. The greatest increase in security effectiveness comes with the initial investment you make in a given security technology, Sparks says. But as you spend more money on any particular counter-measure, your rate of risk reduction per dollar slows down. For each security technology, you reach a point where it no longer makes sense to continue investing in that technology, because shifting those same dollars to another technology will give you a better return on your investment. In short, it’s better to spread security dollars across many counter-measures, just as financial advisers recommend reducing risk by spreading investments among different types of stocks and bonds.

“You have to sample the environment and ask,‘Are the controls we’ve implemented doing what we expected?’” Sparks says. Intel periodically conducts a“war game” against itself to find weaknesses – before somebody else does. Rather than use outside professionals, Intel uses its own personnel to conduct the war games, but always with management approval. And of course it’s imperative to keep the results close to the vest,‘lest someone outside the company find out about your weaknesses before you have a chance to correct them.

The last step is to implement tools that allow you to constantly monitor your environment to look for not only attacks in progress, but security policy

Sponsored by HP ProCurve Networking
ProCurve.com/Choice