To help you determine the best targets for security monitoring, you must build on your security policies and documented network topology, as we described in Chapters 2 and 3. Armed with those decisions and documented knowledge, you should conduct a structured assessment of the systems that comprise your company.
Conduct a BIA. Most enterprises have a team focused on business continuity and disaster preparation. Contact them and ask for the results of the most recent BIA, or ask them to conduct one in preparation for security monitoring. The BIA will produce, among other things, a list of critical IT systems. This is a good place to find targets for information security monitoring. The BIA will call out time-critical business processes and MTDs. Ordered by least amount of MTD, this list can become a priority order for applying security monitoring. Systems identified in such an assessment will likely include those responsible for revenue generation and those with high visibility profiles.
Conduct an Information Technology Security Assessment (ITSA). This formal appraisal will analyze the security of your IT systems to determine areas of risk. It should use the policies and network knowledge that you’ve documented as a benchmarking standard. To that end, it will incorporate examination of regulatory compliance, contractual/legal requirements, and systems that access sensitive data. The ITSA will produce a list of action items as well as an assessment of risk presented by your IT systems. Using the results of this assessment, you can develop a list of systems that require targeted monitoring, especially where preventive controls are impractical to apply.
When you use the BIA and ITSA, a list of systems will emerge for which you can target security monitoring. The list will focus your monitoring on the business priorities and concrete risks your company faces. Based on our experience, the best targets for focused security monitoring are those that can cause the most harm, by way of data loss or revenue loss. Most companies should therefore monitor systems that do the following:
- Access sensitive data
Systems governed by regulatory compliance requirements that store intellectual property, or that store private data have enormous value, and should receive your primary attention.
- Present a high risk profile
Systems that present special risk to your company should be given careful attention for security monitoring. Normally, these systems are identified during a risk assessment or external audit.
- Generate revenue
Systems that are responsible for or directly impact revenue generation are obvious places to focus your security monitoring.
Get Security Monitoring now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
