Four Steps to a More Secure Corporation

Computerworld - Security isn't just something to buy. Security must be embedded in everything IT professionals do, from server configuration and hardening to firewall rules, help desk support and user training. Companies must prepare for issues as simple as a plug accidentally pulled out of an outlet and as complex as a deliberate attack against resources.
Four Phases of Security
Techniques to protect against undesirable consequences are often discussed in the abstract, in terms of confidentiality, integrity and accessibility. But these principles provide little guidance about how a secure system should be built, much less how a security initiative affects technology that isn't primarily associated with security. We advise customers to adopt a four-phase security cycle comprising assessment, planning, delivery and operation. This model is based on the Policy Framework for Interpreting Risk in E-Commerce Security model (download PDF) developed at the Center for Education and Research in Information Assurance and Security at Purdue University.
The assessment phase is where a robust security program begins, yet we find that many organizations have a tendency to leap straight to delivery. As a result, security controls are instituted in an ad hoc fashion, without sufficient means to measure -- much less improve on -- the results of their investments. There are especially significant ramifications for organizations' operating systems and technology infrastructure in this phase, and we recommend that organizations take the following three key actions:

1. Review -- or create -- policy


2. Analyze technology infrastructure risks, balancing functionality against fortification


3. Assess internal and external threats

Policy
Policy is the tool that drives security strategy across people, processes and technologies, emphasizing the company's priorities on what is to be protected and why. Too many organizations are reluctant to dive into policy change, overwhelmed by what they perceive to be insurmountable cultural and political challenges, or are locked into "analysis paralysis" by the sheer magnitude of the problem. But without an explicit, specific and enforced policy, security gaps will proliferate. The key is iteration, moving gradually from good to better to world-class security over time.
Infrastructure Analysis
Much infrastructure technology wasn't designed for the open access that's commonplace today. Consequently, these systems aren't always protected against the risks in today's environment. Infrastructure analysis examines all aspects of security, from operating system configuration to password protection. The outcome is hardware, software and administrative configuration that balances functionality with protection.
Threat Assessment
Anticipating possible threats from inside and outside the company contributes to immediate and long-term technology decisions. Motivation, access, knowledge and traceability vary for different sources of attack. Moreover, external threats