Computerworld - Security isn't just something to buy. Security must be embedded in everything IT professionals do, from server configuration and hardening to firewall rules, help desk support and user training. Companies must prepare for issues as simple as a plug accidentally pulled out of an outlet and as complex as a deliberate attack against resources.
Four Phases of Security
Techniques to protect against undesirable consequences are often discussed in the abstract, in terms of confidentiality, integrity and accessibility. But these principles provide little guidance about how a secure system should be built, much less how a security initiative affects technology that isn't primarily associated with security. We advise customers to adopt a four-phase security cycle comprising assessment, planning, delivery and operation. This model is based on the Policy Framework for Interpreting Risk in E-Commerce Security model (download PDF) developed at the Center for Education and Research in Information Assurance and Security at Purdue University.
The assessment phase is where a robust security program begins, yet we find that many organizations have a tendency to leap straight to delivery. As a result, security controls are instituted in an ad hoc fashion, without sufficient means to measure -- much less improve on -- the results of their investments. There are especially significant ramifications for organizations' operating systems and technology infrastructure in this phase, and we recommend that organizations take the following three key actions:
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
