Finding and keeping qualified staff to manage computer security is difficult. If done carefully, many security tasks can be outsourced to service providers. In any case, people are an important component in information security. Figure 15 completes the simple security picture by adding people to enforcement and monitoring. Part 3 of this book, "Implementation," describes these services in detail.
Figure 15 Enforcement, monitoring, and people protect your enterprise.
Risk Assessment. Estimating the value of your information assets and the risks they are exposed to is part of your job. But it really is an ongoing process, and it requires that some IT security staff be devoted to working with the business community to maintain the risk assessments. An outside organization can supply short-term or continuous assistance to the IT security team in the form of consultants to work with business leaders such as you to create and maintain those assessments. Please note that if you are in financial services or health care, you are required by regulation to maintain a current risk assessment. Chapter 15, "Security Assessments," addresses risk assessments.
Architecture. Understanding all of the technology options for security can be daunting. An outside consultant who has expertise in security architecture can help build the base document that is used by your IT and application development teams to create secure computer systems.
Configuration and Deployment. Installing and configuring security software can be a large job. If IT staff is not available, much of the work can be outsourced to a systems integrator with security experience.
Managed Security Services. Once security software is installed and operating, someone needs to operate it. Console (control room) operations frequently require 7-day/week, 24-hour/day staffing. Outside organizations can provide that as a service more efficiently than many companies can do it for themselves. Typical managed security services are firewalls, VPNs, and intrusion detection.
Response and Forensics. What do you do after you detect an intruder? In the physical world, one good answer is to call the police. Although we may want to do that for a computer intruder, it is important that we also take immediate actions to limit damage and identify the culprit. Having the plan in place will always be the responsibility of a single person in your company. But an outsourcer may provide the staffing to execute that plan.
Lastly, you will need to use the information in this book to establish a security program within your company. Chapter 14, "Establishing a Security Program," will guide you in creating that program. Like life, security is a process, not a destination. You may believe that you only need to do a few discrete things needed to "secure" your enterprise such as installing a firewall, implementing virus scanning, and training your people. The reality is that enterprises are living, breathing entities that are always changing, as is the danger of a security breach. You will always be working on security and the security program is your guide for on-going improvement.
Security is a process, not a destination.