3 Elements of Security Management: Complete Walkthrough

The utility of enterprise private network is not only for the security control of the enterprise body, but also conducive to the growth of operational performance and the expansion of the business map, and its operational level coordinates the fields of information security, entity security and personnel security, and the ultimate purpose is to ensure the sustainable operation of the enterprise. A&S conducted an interview with Xu Ziwen, Manager of the Security Management Office of Yuanchuan Telecom, to present the essence of "enterprise security management" through Xu Ziwen's professional perspective in the field of private network services. 

The concept of enterprise safety management 

To be fair, risks are everywhere, and there will be risks in business operations, focusing on how to manage to disperse and suppress risks. The most important task of the corporate security department is to maintain the normal operation of the enterprise, draw up an emergency response plan, and keep all managed private network emergencies under control. What "insecure" incidents can businesses experience? For example, Xu Ziwen said that the large-scale power outage caused by the 921 earthquake requires precautions in advance, such as renting a generator in advance to ensure that the enterprise is not affected when the power outage occurs; With the increasingly fierce competition in the industry, how to prevent the invasion of industrial espionage is also a topic worthy of corporate attention. 

What is Cyber Security? 

Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Also known as information technology (IT) security, cybersecurity measures are designed to combat managed firewall threats to networked systems and applications, whether they come from inside or outside the organization. 

In 2020, the average cost of a data breach worldwide was $3.86 million, compared to $8.64 million in the United States. These costs include finding and responding to data breaches, downtime costs and lost revenue, and long-term reputational damage to the business and its brand. Cybercriminals target customers' personally identifiable information (PII), including names, addresses, identification numbers (e.g., social security numbers in the United States, fiscal codes in Italy), and credit card information, and then sell these records on an underground digital marketplace.  Leaking PII often leads to loss of customer trust, regulatory fines, and even legal action. 

Complex security systems created by different technologies and a lack of in-house expertise will increase these costs. Enterprises with comprehensive cybersecurity policies, managed through best practices, and automated with advanced analytics, artificial intelligence (AI), and machine learning can more effectively combat cyber threats, shortening their lifecycle and reducing impact in the event of a data breach. 

It is worth noting that the cybersecurity solutions not only owns tangible assets such as computers/office equipment, but also has intangible assets such as information and working hours; For example, as enterprises gradually become networked, once Mail Sever goes down, a company with 300 employees may need at least an hour to process, and the working hours that do not work properly will cause significant losses to the enterprise. What is more serious is that cybercrime is becoming increasingly rampant, and there have been cases of hackers invading the websites of listed companies in foreign countries to change their financial reports and stock prices, which has greatly affected investor confidence and is directly reflected in the company's stock price. Xu Ziwen said that ensuring that the above problems affecting the development of enterprises do not occur, and even if they are unfortunate, they must be dealt with immediately, which is an important task of the security department. In other words, the purpose of the establishment of the enterprise security department is to protect the integrity of the enterprise's assets, minimize the SASE SD-WAN damage that may occur, and ensure that the enterprise can continue to operate. 

Dangerous fallacies about cybersecurity

While the number of cybersecurity incidents is on the rise globally, there are still some misconceptions, including the following:

Cybercriminals are outsiders.  In fact, cybersecurity breaches are often the result of malicious insiders seeking their own interests or colluding with outside hackers.  These insiders may belong to well-organized groups supported by the nation-state. 

The risks are well known.      In fact, the risk profile continues to expand, with thousands of new vulnerabilities reported across old and new applications and devices.  The opportunities for human error are constantly increasing, especially data breaches inadvertently caused by negligent employees or contractors. 

The attack vector has been contained.      Cybercriminals are always looking for new secure access service edge attack vectors, including Linux systems, operational technology (OT), Internet of Things (IoT) devices, and cloud environments. 

My industry is safe.      Every industry has its own cybersecurity risks, and in almost every government and private sector organization, cyber attackers exploit the necessary elements of communication networks.  For example, ransomware attacks (see below) target more sectors than ever before, including local governments and nonprofits, while threats to supply chains, ".gov" websites, and critical infrastructure have increased. 

The three elements of security management

Like other management, the three elements of security management are People(people), Process (process) and Technology (technology), because things are made by people, personnel safety is the most important of all security, and the security policy formulated by enterprises depends on "people" with security emergency awareness to follow; If the enterprise can master the process smoothly, it can grasp more than 80% of the security; Xu Ziwen particularly clarified that Technology does not only refer to CCTV, access control systems and other devices, and the recently popular information security is not just referring to  citic telecom firewalls and anti-virus software; All technologies are designed to assist in the achievement of security management policies.

Six directions of enterprise security management

• Information Security
• Emergency Planning
• Security Audit & Investigation
• Enterprise Security 
• Education Training and Advocacy 
• Security Awareness Training

Above are the six directions of sd wan enterprise security management, of which the first three are the main axis of enterprise security management, and the latter is the pillar that supports the first three.


1. Physical and Environmental Safety:

The focus of physical security is to prevent unauthorized access to and from affecting or impairing workplaces, assets and persons. Environmental security is expanded from physical security, which means that the enterprise is choosing the place of business. The safety of the surrounding environment must be assessed in particular, such as whether there is good security and the adequacy of edr hk water and electricity.

Physical and environmental security includes Access & Egress Control, Activity Monitoring Control, and Surveillance
Control) two control objectives, and deterrence, detection, delay and deny;

Physical and environmental security common equipment and methods include: walls, fences, barbed wire and other physical defenses
Physical Barriers, Lighting, which includes lighting and defense functions, access control systems that include guards, locks, and keys
Control System), CCTV and Other Activity Monitoring System and Alarm System
(Alarm System)。

2. Personnel safety:

The focus is on reducing the risks arising from misconduct by internal or external personnel. Xu Ziwen said that peopleSafety is the most basic and important part of enterprise safety management, he suggested that enterprises must carry out personnel background checks for new personnel, sensitive positions or personnel holding important positions, especially important positions must be divided into divisions of labor, so as to avoid all being responsible for one person. In addition, the burden of "human feelings" must also be avoided, iso 17799 Information Security Specification (ISMS) stipulates that the developer and operator of the system must be in two different locations in the office to avoid the situation of "meeting the three points". Xu Ziwen stressed that the formation of safety awareness is quite important, so enterprises must carry out personnel education and training and publicity, otherwise it is useless to install more cameras and monitors.

3. Information Security:

The focus of information security is to protect the confidentiality, integrity and availability of information and the devices, systems and networks it supports processing from threats in various ways, minimizing possible business damage and ensuring the continuity of the business; For example, a programmer must expose the source code, enterprise Data, to the enterprise after writing the program
Center must do data offsite redundancy... And so on, all based on the consideration of protecting the security of enterprise information.

Xu Ziwen stressed that information security covers a wide range, not only refers to the Internet, nor is it just a firewall, because information security must be based on personnel, entity and environmental security, all technologiesAll to assist in the security management policy for the purpose, otherwise technology is just a product, he pointed out, in the national information security conference or the national information security conference, everyone is no longer completely focused on technology, but paying great attention to management, he gave an example, when the computer for information security reasons installed on the firewall, but placed in the personnel in and out of the gate, how to call security?

Xu Ziwen said that information security covers physical barriers and logical layers
Barriers), data conversion processing & storage (Data Transfor-mation & Storage), the field is quite wide, attaching importance to information security, is equivalent to taking care of various security, which is of great help to enterprise security management. ISO17799
The information security management system indicates that the information security control objectives include:

• Policy (formulation of corporate security policies; Corporate security policies must be consistent with business objectives)
  
   
• Organization (clearly regulate who is responsible for security work, many foreign companies have established security departments, especially in the United States)
  
   
• Assets Classification & Management (understand the company's assets to understand what to protect and how much it is worth investing)
  
   
• Personal Security
  
   
• Physical & Environmental Security
  
   
• Communications & Operations Management
  
   
• Access Control (refers to logical protection layers, such as Password)