Four Steps to a More Secure Corporation

By Christopher Burry, Daniel Deganutti and Ace Swerling, Avanade Inc.

August 25, 2003 12:00 PM ET

Recommended

(5)

Digg

Twitter

Share/Email

Computerworld - Security isn't just something to buy. Security must be embedded in everything IT professionals do, from server configuration and hardening to firewall rules, help desk support and user training. Companies must prepare for issues as simple as a plug accidentally pulled out of an outlet and as complex as a deliberate attack against resources.
Four Phases of Security
Techniques to protect against undesirable consequences are often discussed in the abstract, in terms of confidentiality, integrity and accessibility. But these principles provide little guidance about how a secure system should be built, much less how a security initiative affects technology that isn't primarily associated with security. We advise customers to adopt a four-phase security cycle comprising assessment, planning, delivery and operation. This model is based on the Policy Framework for Interpreting Risk in E-Commerce Security model (download PDF) developed at the Center for Education and Research in Information Assurance and Security at Purdue University.
The assessment phase is where a robust security program begins, yet we find that many organizations have a tendency to leap straight to delivery. As a result, security controls are instituted in an ad hoc fashion, without sufficient means to measure -- much less improve on -- the results of their investments. There are especially significant ramifications for organizations' operating systems and technology infrastructure in this phase, and we recommend that organizations take the following three key actions:

Review -- or create -- policy

Analyze technology infrastructure risks, balancing functionality against fortification

Assess internal and external threats

Policy
Policy is the tool that drives security strategy across people, processes and technologies, emphasizing the company's priorities on what is to be protected and why. Too many organizations are reluctant to dive into policy change, overwhelmed by what they perceive to be insurmountable cultural and political challenges, or are locked into "analysis paralysis" by the sheer magnitude of the problem. But without an explicit, specific and enforced policy, security gaps will proliferate. The key is iteration, moving gradually from good to better to world-class security over time.
Infrastructure Analysis
Much infrastructure technology wasn't designed for the open access that's commonplace today. Consequently, these systems aren't always protected against the risks in today's environment. Infrastructure analysis examines all aspects of security, from operating system configuration to password protection. The outcome is hardware, software and administrative configuration that balances functionality with protection.
Threat Assessment
Anticipating possible threats from inside and outside the company contributes to immediate and long-term technology decisions. Motivation, access, knowledge and traceability vary for different sources of attack. Moreover, external threats

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Security

Additional Resources

Xerox

Win a color printer!

By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!

Microsoft

Upgrade to Internet Explorer 8 today.

Save time and mitigate security risk. Deploy it now.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

White Papers & Webcasts

Share our Strength
Download Now

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

Top 10 Things to Know about Data Protection
Download Now

Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!

Top 10 Actions a CIO Can Take to Prepare for a Hurricane
Download Now

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Ponemon Study: The Business Risk of a Lost Laptop
Download Now

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Airport Insecurity: The Case of Lost Laptops
Download Now

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

All White Papers | All Webcasts