Security Conference Leads to New Initiative

Computerworld - I had the opportunity to spend almost a week at this year's RSA Conference in San Francisco. Of all the information security conferences, I enjoy this one the most. It combines an abundance of informative seminars covering various technical levels with a floor show of leading-edge vendors showing off new products and enhancements. What sets it apart is the breadth of the seminars and the quality of the presenters. Many are industry leaders who, rather than trying to sell a product, are there merely to educate attendees on particular subjects. (That's not to say that there weren't the occasional product pitches.)
I like to talk with vendors to learn about new technologies, but mostly I'm hoping to validate decisions I have already made. For example, we selected RSA Security Inc. for our two-factor authentication. After visiting competing vendors, I was satisfied that RSA was the right choice for our deployment.
Another decision was to go with Guidance Software Inc. in Pasadena, Calif., for what I consider to be the leading forensics software on the market. At this conference, I had the opportunity to review the upcoming Version 5.0 of its Encase product line, and I was very impressed with the list of enhancements.
It seems as if each year a technology theme colors the conference. Last year, it was identity management. This year, the buzz was for virus gateways. This was timely. Malicious code has been entering our network, and virus gateways seem to be the answer.
Some background: We recently segmented areas of our network according to the nature of the infrastructure we're protecting. For example, since our wireless network is susceptible to various attacks, we segmented it so that users are on a network with no logical relationship to other areas of the infrastructure.
Another network houses our financial systems and is segmented from other areas because of the sensitivity of the data. There are other segments for desktops, databases, revenue-generating systems, monitoring systems, security infrastructure, development, executive staff and the legal, accounting, and sales and marketing departments.
This segmentation lets us protect users and control what they can access. For example, we created a network for our PeopleSoft application and one for our human resources department. The firewall rules restrict PeopleSoft administrative activities to the HR network, which is a very clean rule. We can deal with exceptions on a case-by-case basis.
The self-service interface for employees remains open to almost all networks, but we control access to administrative areas. If an employee in the finance department