Assessment tool: Does upstream security make sense for your organization?

 

How do you stop threats before they reach your network?

For many organizations, the solution is upstream security. It creates a simpler, highly resilient security environment that reduces the burden of administration, lowers capital costs and eliminates the need for legions of servers dedicated to scrubbing email.

So does upstream security make sense for your organization?

By answering the questions in this assessment tool, you'll get a better understanding of your current security situation and where upstream security may, or may not, be a good fit.

Note: This tool is intended to guide decisions and stimulate focused conversations about security and compliance for your organization. For a complete assessment of your needs, please contact your Bell representative for the latest information on our offerings. You can also request to be contacted by a Bell representative.

1.0 Bolstering security and resilience

A security breach could mean many things: business interruption, resulting in lost revenue, data loss and consequent damage to your reputation, or worse. But no perimeter defence is perfect. How resilient and lithe is your security environment? What would a breach mean to you?

1.1 A resilient security environment is important to every organization, but for different reasons. Choose the answers that apply best to your situation:

  • It's a major concern for us because we have a transactional, customer-facing Web presence. If systems go down, we lose revenue
  • It's a major concern for us because we have a consumer-facing Web presence. If systems go down, we lose mindshare and customer trust
  • If our systems are breached, we may face regulatory compliance repercussions
  • We always like to reduce administrative costs and the chance of error

1.2 System outages occur for many reasons. Which of the following has compromised your system? Check all that apply:

  • Phishing and spam attacks
  • Denial of service attacks
  • Administrative error
  • Virus or malware
  • Unauthorized Internet connections
  • Lost or stolen user credentials

1.3 A complex security environment can mean complex change control processes and increased risk of catastrophic administrative error. How easily can you make changes to your IT environment, such as when you introduce a new application?

  • New applications are made secure as part of the development process and brought online within 24 hours
  • It can take 72 hours or more to test and make new applications secure and bring them online
  • It's a big job and can sometimes take more than a week

1.4 How difficult are you finding it to keep up with the current threat environment? As malware and attack signatures change, organizations struggle to keep up. How much effort does it take on a monthly basis to keep on top of updates and patches?

  • It's a major job
  • It doesn't take much time per month, but over a year it adds up
  • Most of it is automated

1.5 Large Canadian organizations have found that their security programs have crumbled soon after a major reorganization. How are you currently preventing this? Check all that apply.

  • We have centralized security to protect against siloed budgetary cuts
  • We have a governance program in effect for security that assures continuity
  • We manage security or regulatory compliance at the executive level to ensure the necessary resources
  • We have a security dashboard that flags degraded capability early and allows for remediation.

1.6 Which of the following security elements does your organization have in place? Check all that apply:

  • Traffic flow analysis: Analysis of internal network traffic patterns that reveal suspicious communications paths and data flows
  • DNS analysis: Domain name lookup statistics and logs reveal incongruous matches between IP addresses and domain names (pharming) and command and control communication paths
  • Messaging analysis: Spam and phishing attacks crossing or leaving the network reveal the internal addresses of compromised devices acting as spam relays and engines
  • P2P analysis: File sharing traffic indicates violations of enterprise acceptable use, data leakage, command and control communications
  • Web proxy monitoring: looking for suspicious Web-based downloads to indicate a compromised device

Remember, a resilient security environment has fewer failure points, so infrastructure is less complex and there is less room for administrative error. It is also more likely to be in compliance with regulation.

2.0 Compliance

Onerous though they may be, regulations force organizations to become more resilient. Plus, non-compliance risks sanctions that can damage your reputation and reduce goodwill on the balance sheet. IT security is a major factor in compliance, so the better shape your security environment is in, the more easily you will be able to become and remain compliant.

How does your organization handle compliance issues? Online merchants, card issuers and transaction processors have to deal with payment card international (PCI) regulations, entities with U.S. public listings have to deal with the Securities and Exchange Commission (SEC) and Sorbanes-Oxley, and just about everyone needs to pay attention to privacy regulations. Ignoring the regulatory environment means accepting substantial risks, and digging your way out of the hole means that costs will escalate.

2.1 Can you quickly generate evidence to support your compliance requirements?

  • Yes
  • No
  • Not sure

2.2 Whether you are currently in compliance with all relevant regulations or not, compliance involves treating, accepting or transferring the risk. Did you or how likely are you to transfer some responsibility for your compliance to a third party? Choose the best answer:

  • We used only internal resources to achieve compliance
  • We brought in specialists to help us achieve compliance internally
  • We outsourced many compliance requirements when we outsourced certain business functions and processes.
  • We are not yet compliant, but we will get there internally
  • We are not yet compliant, and are considering of transferring the job and the risk to a third party

2.3 If your security environment's equipment and software licensing requirements were reduced by over 30%, to what extent would that reduce the burden of administration?

2.4 Estimate your monthly costs to handle email traffic, including software and related support, hardware, facilities and administration. Are you spending:

  • Less than $5,000
  • $5,001 to $10,000
  • $10,001 to $20,000
  • $20,001+

2.5 It is typical for 95% or more of email to be unsolicited. What portion of your bandwidth goes to handling email?

  • Less than 25%
  • 25 – 35%
  • 35 – 50%
  • More than 50%

2.6 Can you accurately quantify your currently spend on email and traffic filtering, intrusion detection, log management and security reporting? If there is less reaching you, there is less to manage.

  • Calculate what you are spending per year, including salaries and benefits
  • Then calculate what you would be spending per year if illicit and unwanted traffic was reduced by over 90%

3.0 Resources

The cost of staying secure is on the rise, even when revenue isn't. How much could you save if the enterprise security perimeter wasn't your first line of defense?

3.1 Is your security infrastructure and expense growing even at times when revenue is not? Choose the best answer below:

  • Infrastructure and expense are decreasing
  • Both are holding steady
  • We are able to cap spending during downtimes, with no adverse affects
  • Infrastructure and expense are always escalating

3.2 Which of your security-related costs are steadily increasing? Choose all that apply:

  • Wages
  • Afterhours staffing and overtime
  • Hardware and support
  • Server software licenses and support
  • Desktop software licenses and support
  • Physical space
  • Electricity and back-up power
  • Physical security
  • Bandwidth

3.3 Upstream security can significantly reduce spam email traffic. Given that 95% or more of the messages you process are unwanted, how many servers are you currently devoting to scrubbing junk email?

  • 1-5
  • 6-10
  • 11-20
  • 20+

3.4 One vulnerability that all organizations face is the threat of distributed Denial of Service (DDOS) attacks. Because they use millions of independent sources, the only way to see them coming is through carrier-level analysis of traffic patterns. How long would it take your organization to lose $100,000 through loss of connectivity?

  • More than a week
  • Less than a week
  • A day or more
  • Half a day
  • One to three hours
  • Less than one hour

3.5 How much time and effort does it take to make changes to your IT environment, for example when IT components are upgraded or replaced?

  • Required changes can normally be made within 24 hours
  • It can take up to 72 hours
  • Up to a week
  • A week or more in some cases

3.6 Estimate the number of software programs you currently have that deal with Internet-borne threats:

  • 1-5
  • 6-10
  • 11-15
  • 16+

Talk to Bell

You have taken the time to answer these questions, but what does it mean? Bell can provide expertise in planning and implementing upstream and other security solutions. For help interpreting the information you have generated with this tool, contact your Bell representative today or request to be contacted by a Bell representative.