Discussion with Director – Security Operations (Pharma/Healthcare) – 2

a few months ago, i met the director of security operations of a large pharma enterprise with presence in 4 continents and with over 50,000 users. the enterprise had 4 large data centers with centralized IT function. however within the IT organization, the challenges were immense with 4 regional teams, each having their own set of taxonomies, processes and ‘ways of working’.

during the discussion the director expressed a desire to have security operations with ‘dial tone reliability’ in his words.

when you pick up a handset, you expect to hear a dial tone. its a given thing. its pretty elementary  right!. today, if you pick up a handset and don’t hear a dial tone then you will be surprised. similarly, not only in information security, but also in IT operations, more and more executive management are wishing or rather demanding for ‘dial tone reliability’.

in the context of information security operations, how do we realize this desire?

in this post, i am putting down few thoughts that we shared with the director and then, implemented some of them to achieve this goal. i am leaving the security strategy & architecture out for the time being, though i must acknowledge at this point that it has to be a top down approach involving strategy, architecture and operations.

  1. it has to start with a knowledge of what you have. both, IT assets and control enforcement points. basically, what you don’t know, you cant protect (back to basics huh!). asset inventory & management anybody? 🙂
  2. track vulnerability & threat landscape to identify those which are relevant for the IT environment of the enterprise. it is imporatant to be able to identify vulnerabilites and threats that can potentially affecting an organizations IT environment and take necessary steps to be able to either prevent, detect or contain & recover any incidents arising out of the realization of risks due to these threats and vulnerabilities.
  3. track how many controls are actually working and ensure 100% uptime. in large organizations, i have noticed this is also one of the areas that requires lot of oversight especially if the number of controls deployed are large in number. for this organization, it was a challenge to track how many IDS out of 100’s of IDS deployed were working at any point in time to ensure effective monitoring of network segments. similarly was the case with firewalls, HIDS and antivirus controls.
  4. the risk treatment plan must drive the control requirement and subsequent enforcement. this ensures that the IT security spend is aligned to ‘optimum’ management of risk.
  5. implement a process to identify anything that is plugged on the network and ensure that only the desired, validated endpoints are allowed to connect. you can use network access control framework and use it to ensure only validated systems are allowed on the network.
  6. for any system that connects to the network, you need to ensure that events, both, system security and user activity are logged and analyzed for unauthorized / malicious activities / access control violations.
  7. define and adopt robust incident response process to respond to unauthorized activities and malicious events. this process has to be a globally defined and implemented throughout the enterprise. hence if there is an incident, one is assured that the NA team will respond using exactly the process as the EMEA team. this will also require other teams to pitch in like network teams, server management teams etc.
  8. implement metrics to track the effectiveness of the controls that are enforced and appropriate measurement standards are enforced through out the enterprise.
  9. have real time visibility into security operations: have ability to track incidents and malicious activities , the responses being taken to mitigate or contain them as and when they are detected. track the change requests and sla to respond to such requests. if possible also track the financial parameters that can be used to measure the effectiveness of the controls quantitatively. however, one must not ignore the qualitative metrics at the same time.
  10. measure and track residual risk.

these measure were implemented to get a degree of assurance that an device that connects to the network at any given point in time would be validated and allowed on the network only if there is a conformance to the enterprise standards and policies, all user and system activities were logged and analyzed in real or near real time for malicious activities. In case any new vulnerability or threat was detected, the operations team was able to respond with effective strategy to either, prevent, detect or recover from potential incident as far as possible.

an important aspect in the implementation of some of the above mentioned areas was to ensure that the processes around each were global in nature and all teams understood and had one way of working. while the team used global processes, they still retained their ability to leverage the local knowledge of the IT environments to effectively control and maintain a secure operating environment for their business operations.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: