Home > Uncategorized > The Value of IT Standardization in Information Security

The Value of IT Standardization in Information Security

In IT security many known and reasonably proven security control solutions (network traffic filtering, encryption, access control lists, and much more) exist. Strangely, one very powerful solution, IT standardization, too often get overlooked when people consider various control solution options. A good example is chapter three in the CISM examination preparation manual, much of which covers IT security technology. This chapter mentions many security technology options, but, strangely enough, does not mention IT standardization as a viable security control measure. In this respect, this manual (which, by the way, I very much like overall) is by no means unique. IT standardization is a proven way to cut down IT costs, but as a security control this measure too often gets too little notice.

The most widely used version of IT standardization is the standard desktop. Larger organizations, particularly Fortune 500 companies and certain agencies within the US government, are the leaders in this area. From a security point of view, advantages of adopting a standard desktop include:

  1. A more secure out-of-the-box configuration. Most standard desktop efforts include provisions for having desktop systems vendors build and then ship systems preconfigured to customer specifications. Provided that specifications include configurations that are conducive to security, new systems are secure right from the start.
  2. Better conduciveness to patch management solutions. Differences in configurations of systems are one of the biggest problems in patch management. Systems with certain configurations are likely to fare well after new patches have been installed, whereas others with different configurations are not likely to do so. A standard configuration is thus likely to cause fewer complications in patch management.
  3. More efficient security monitoring. Inspecting system settings to spot unauthorized changes is one of the best ways to discover security breaches as well as unauthorized tampering. Inspecting systems that are built and maintained in accordance with a standard desktop configuration makes spotting unauthorized deviations much easier, as opposed to having to analyze a range of configurations because of lack of standardization.
  4. More efficient change management. A standard desktop also facilitates change management by making the transition from point A to point B more predictable. Testing in non-production environments thus results in greater certainty about what exactly will result once a change is made. In contrast, lack of standardization means that there is no single point A from which to start, making the transition to point B (or, most likely in reality, a number of somewhat different point B’s) much less predictable. Change management is particularly important in information security because change almost inevitably introduces new security-related risk.

The US government has in particular had great success in its desktop standardization efforts with its recent massive Federal Desktop Core Configuration (FDCC) initiative involving over 450,000 computing systems. The US Air Force, National Security Agency (NSA), National Institute of Standards and Technology (NIST), and Defense Information Systems Agency (DISA) worked together to produce a standard, secure configuration for two versions of Windows operating systems. They then utilized their procurement process to ensure computer vendors delivered computing systems with this configuration. The result was not only substantial reduction in system administration costs, but also more efficient patch management and better user support. Curiously, very few legacy applications were adversely affected by the standardization.

If you are an information security or an IT professional, you would do well to give IT standardization proper consideration when you are deliberating among possible IT security controls. From a security perspective as well as from a more general IT perspective, IT standardization can deliver a much more favorable than average cost-to-benefit ratio than many other alternatives.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.