Let’s think together – what technologies and practices constitute information security essentials? The question is actually bitchingly hard – so think before answering! One way to think of this is to imagine somebody describing his security capabilities to you, and when they miss something from that list you go “ZOMG!!! No way you missed X! What are you, stupid or something?! STOP talking to me and go deploy/do/buy that now!!!”
First, it is probably NOT just “firewalls and SSL” (and anti-virus) – endpoint security and data security should be represented, as well as possibly cloud security. Also, some practices will span both information security and IT operations, such as asset management, change management, patch management, etc. For example, PCI DSS is not a bad list of basics, as some would say.
So, let me try my hand at this admittedly thankless task (we may do a formal research project on this latter…)
This first batch are the “unquestionables” (IMHO):
- Security policy
- Firewalls/network segmentation
- Transit data encryption
- Vulnerability management (including remediation such as patch management)
- Incident response
This batch is strong contenders:
- Security awareness
- [Some] risk assessment
- Stored data encryption
- Log analysis and monitoring
And this batch starts to cover what can be called debatable:
- Lots of other stuff that I am too lazy to mention – this last section can be long!
(as you noticed, the list mixes tools and practices, but favors tools slightly; this is not intentional)
And, of course THE primary risk is that the list is BOTH “too long” and “too short” – at the same time (a complaint frequently tossed in the direction of PCI DSS)
Here are some attempts to ponder this question or come up with specific lists of “cyber security” things to DO and BUY:
- “Back to Basics”: What does this mean?
- “Enterprise Information Protection Standards of Practice – Options and Basis” (by the legendary Fred Cohen)
BTW, Ben, I am not stealing your thunder – I just wanted to start this discussion 🙂
Loosely related blog posts:
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.