It is late 2003, and officials at the Kettering Medical Center Network have a challenge on their hands: How do they ensure they are securing their network in the most efficient manner?
Rather than simply renew its Symantec AntiVirus Enterprise Edition licenses, the network of Ohio hospitals decided to perform a complete network security assessment.
“HIPAA compliance was one driver, but another was the commitment to be proactive in security,” said Bob Burritt, manager of network and technology services for the Kettering Medical Center Network. “The network security assessment began in October 2004 and Symantec Consulting Services made its recommendations in early February 2005.”
In the end, the company found savings in time and money as well as a greater level of confidence in its security posture and compliance with HIPAA (Health Insurance Portability and Accountability Act) regulations. The question asked in 2003 by officials from the Kettering Medical Center Network is repeated within organizations throughout the world.
Security professionals said company officials need to take a comprehensive approach to extending security throughout the enterprise-from the IT staffer to the employees in the call center.
Khalid Kark, an analyst with Forrester Research, said the biggest challenge CISOs (chief information security officers) face today often is convincing all of their employees they have a role to play.
“One simple sentence that a lot of [CISOs] get is, Its not my job,” Kark said. “We have to get over that perception, and the CISO has to be kind of the cheerleader for that and they have to really go out and market security in a way that everyone understands its their responsibility.”
Ensuring every employee is aware of the HIPAA and other laws and regulations can be tough, Burritt said, adding the hospital network has a number of education programs for employees on security and other topics.
Click here to read why analysts are predicting the death of traditional network security.
“We turned the need for HIPAA compliance into an opportunity to get a complete network security assessment from Symantec Consulting Services,” he said.
The Kettering Medical Center Network now uses Symantec Network Security 7161 intrusion prevention appliances to provide an outer shield for its network against worms and zero-day attacks. Inside the network perimeter, Symantec AntiVirus Enterprise Edition protects the hospital networks servers and desktops, and Symantec Client Security and Symantec AntiVirus for Handhelds protect laptops and mobile devices. In addition, the networks intrusion prevention appliances are continuously monitored and managed by Symantec Managed Security Services.
As a result, Burritt said, the hospital network has saved $200,000 in staff time annually through firewall monitoring from Symantec Managed Security Services and another $18,000 in annual savings by slashing staff time for a security review of KMCNs 200 servers. In addition, there was a one-time savings of $140,000 and $70,000 annually on licensing, and $4,000 annual administrative savings from the Symantec Value Licensing Program.
“We definitely measure the costs of downtime,” Burritt said. “According to our [chief financial officer], we lose a million dollars a day in revenues if our IT systems go down.”
With such money at stake, organizations have a vested interest in securing their network. Establishing a strong data security framework begins with understanding what data they care most about, said Christopher Parkerson, senior product marketing manager at the Data Security Group at RSA, the security division of Hopkinton, Mass.-based EMC.
Page 2: Assessing and Protecting Your Corporate Network
Protecting Your Corporate Network
“Next, they need to find where this data lives and what policies are needed in order to protect it,” he said. “Finally, they need to implement effective enterprise-wide controls for consistent enforcement. The effectiveness of the final step-implementing proper controls-is reliant on a well-executed data identification and classification process that precedes it.
“And before you can even start implementing a framework, you have to understand the scope and focus the overall effort, otherwise it will end up being a sinkhole in terms of cost and resources,” he said.
In a recent survey of almost 200 organizations performed by Forrester, 37 percent admitted they had no data classification policy. In addition, 55 percent of respondents said they have data security policies that are either outdated or require significant changes to bring them in line with regulatory and company mandates, and 27 percent said their policy was rarely enforced.
At Atlanta-based CDC Software, a provider of enterprise software applications, officials utilize a process that weighs the likelihood of a security event and its potential impacts to calculate a risk score.
Click here to read why domestic and foreign defense agency Web sites are wide open to penetration.
“This risk score helps to drive discussions and decisions around the prioritization of any needed remediation effort,” said Walter Jeske, CDC vice president of IT. “The risks are initially established by the IT organization and then shared across senior management of our organization to elicit feedback. That way we can uncover additional risks and prioritize risk remediation.
“This process works best if it is initiated within IT and used as part of the IT prioritization/demand management process,” he said. “One of the keys to success is to state the risk in business terms and be sure it is agnostic to the technology. IT personnel have a tendency to solve a problem with technology and then try to sell the technology solution to the business leaders. This will likely result in business leaders misunderstanding the business risks the technology is solving because IT and the business areas are both using different types of business languages in their interpretation.”
Some security professionals also suggested enterprises establish metrics to measure how effective their security tools, policies and procedures are. Those walking into a new job for the first time should begin by looking at any previous security audits and talking to the heads of the various business units to see what their policies and concerns are, they said.
Overall, organizations should take a holistic approach to security and view technology as just one part, security professionals and analysts said. At Mercy Medical Center in Baltimore, hospital officials will be working to integrate logical and physical security, said Mark Rein, senior director of IT.
“Our goal is to provide employees a mechanism to secure ePHI [electronic protected health information], without compromising their access to required data,” he said. Rein added that in the near term the hospital will use portal Web pages targeted to increase awareness of ePHI and the hospitals policies on data protection.
A unified approach to security is a key that includes education and technology, and where IT security policies align with business security policies will make for a more secure environment, Forresters Kark said.
“A lot more organizations now have, or at least are working towards, a framework that is aligned to the corporate security principles they have, the regulatory compliance mandates that they have to follow and kind of the corporate governance types of things and risk management types of things being all included in there,” he said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.