The information security plan describes how the security is implemented, defined policies, controls and solutions. The information security plan is developed considering all the IT resources depending on the security levels achieved and the pending aspects. An information security plan should focus on the actions required to achieve higher levels of security. It is very important to define the scope of an information security plan. According to logical security services company experts, the scope helps in defining priorities and actions depending on the IT resources.
Physical security and logical security are two aspects of an information security plan and are necessary for implementing security in the companies. Below are the details of each aspect.
An important part of an information security plan is logical security. Logical security solutions with logical security controls form a path to implement logical security.
Logical security solutions
There are a great number of logical security solutions provided by various logical security services companies. Enterprise logical security solutions are required for the prevention, detection and recovery from a security breach. Logical security solutions and services avoid unauthorized access to company’s information. According to logical security services company’s expert, logical security control and network perimeter security systems are integral parts of logical security services. Logical security solutions and services create logical barriers that protect access to company’s information.
As per the experience of logical security services company experts, traditionally enterprises relied on network perimeter security systems to defend against network threats and antivirus programs to defend against content threats. However, these systems do not provide complete protection against advance attacks. Logical security services company experts claim that the defense against sophisticated attacks is beyond the capacity of conventional logical security solutions and this has accelerated the need for logical security services and advanced solutions.
Perimeter security systems
An important part of the logical security solutions and services for companies is a perimeter security system. All companies, regardless of their size and the sector they are engaged in, currently have some form of perimeter security system for cyber defense against cyber attacks. Network Perimeter security systems are responsible for the security of the company’s IT resources against external threats such as viruses, worms, trojans, denial of service attacks, theft or destruction of data, and so on.
Formerly network perimeter security systems only incorporated firewall, but the market for perimeter security system is changing a lot and in present moment a network perimeter security system even incorporates IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems). Perimeter security system specialist explains that a network perimeter security system should inspect application protocols, content and should use advanced techniques to identify unknown threats. Perimeter security systems provide protection at two different levels. The first level is the network; the network perimeter security system provides protection against threats like hackers, intrusions or theft of information in remote connections. The second level is the content; perimeter security system for content provides protection against threats such as malware, phishing, spam and inappropriate web content for companies. This clear division and the way in which threats are evolving in recent years has led to perimeter security system companies to focus on the development of dedicated teams for either end.
Identification and authentication of users
Identification and authentication of users is an important part of logical security solutions and services for companies. Access controls help in identification and authentication of users. The allocation of rights and privileges in an access control system are controlled through the authorization process which determines the profile of each user. Logical access controls solutions guarantee access to authorized users and prevent unauthorized access to IT resources. According to the experience of logical security controls experts, during the implementation of access control solutions companies should consider the following:
- Logical security controls for classification, authorization and distribution of information.
- The standards and company’s obligations regarding protection of information access.
- Security audit processes to verify access controls.
- Maintaining access records for each service or IT system.
- The procedures for user identification and verification of access of each user.
- Logical security controls should cover all phases of the lifecycle of user access, from the initial registration of new users to cancel the registration of users who do not require access to IT resources.
- System and authentication method used by the access controls systems for information security.
- Considering advance logical security solutions for access control, such as biometrics, smart cards, etc.
- Define IT resources, which must be protected with the help of access control solutions.
Authorization processes and methodology used by access controls system.According to logical security control experts, the review process of user access rights is very important after any change. Companies should implement network perimeter security solutions in order to prevent unauthorized modification, destruction and loss of data belonging to access control system.
Logical Security Controls
The primary objective of logical security controls to provide guidance and help to the management, in accordance with business requirements and security standards. Logical security controls represent business goals and commitment to data security and should be communicated to all employees of the company.
Logical security controls define the resources that must be protected and what are the logical security policies. Logical security controls themselves do not define how the IT resources are protected. This is defined through logical security services and logical security solutions. For each control there are several logical security solutions that may exist. Since logical security controls can affect all employees, it is important to make sure to have authorization for the implementation and development of the same. Logical security controls must be approved by logical security controls experts with experience in implementing logical security solutions and the management of the company that has the power to enforce them. Controls for incident management, data backup and protection of personal data form an integral part of logical security controls.
Physical security solutions
Another important part of the information security plan is physical security. The physical security solutions are designed to achieve efficient management of security and these solutions must ensure compliance with the standards, as well as established by the company itself. The physical security solutions are intended to prevent unauthorized physical access, damage and interference to the IT infrastructure and company’s confidential information. Physical security solutions form an integral part of the information security solutions. IT departments and other departments which have data management can implement physical security solutions. The security plan identifies the areas controlled inside the company, the areas that have specific security requirements and on this basis; limited, restricted and strategic areas are declared and physical security solutions that apply to each area are described.
Generally physical security solutions create a physical barrier around the areas of information processing. But some physical security solutions use multiple barriers to provide additional protection. Companies must periodically do the performance review of the solutions implemented and determine the actions required to achieve the business goals. The protection of the IT infrastructure and business devices form an integral part of physical security solutions and is needed to reduce the physical threats of unauthorized access to information and risks of theft or damage. These solutions must take into account the actions needed to fill gaps in security and for correcting errors. The physical security solutions ensure information protection against power failure, interception of information and protection of cables. According to experts of physical security solutions, physical threats and damages that may be caused by fires, floods, earthquakes, explosions, and other natural or man-made disaster should be considered during the implementation of physical security solutions in companies.
Implementing a information security plan is an important step in the field of security as per experts from an organization specializing in logical security services for companies. The information security plan should adjust to the security system in place and manage security. The security plan should be very understandable and ensures compliance. The information security plan experts should assure that the security plan is updated based on the changes, new logical security controls and physical security solutions.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.