Implementing Basic Security Measures
by Mislav Gluscevic - Monday, 14 April 2003.
Security policy must provide written rules that are saying how computer systems should be configured and how organization's employees should conduct business before they use information technology. Policies have to be well controlled, and they will be the baseline for implementation. If we do not have a policy, there will be no plan upon which an organization can design and implement an effective security program. You have to ask yourself about most important security policies, and what is their role in helping achieving business objectives. There are a number of sub policies, which we will not cover here, as this article is about implementing only basic security measures.

Risk Management

Ask yourself - how does your organization identify critical information assets and risks to those assets? What are the potential financial impacts of a successful attack against these assets? Do you have any insurance policies to mitigate and transfer potential losses for your information security risks? Risk management is about conducting an information security risk evaluation that identifies critical information assets (i.e. systems, networks or data), threats to critical assets, assets vulnerabilities and risks. You should identify the adverse impacts when risks to critical assets are realized, and quantity the financial impact to the greatest extent possible. Do have a risk mitigation plan resulting from the evaluation, and ensure there is a regular review and management of the risks to critical information assets.

Security Architecture & Design

You should know the primary components of your organization's security architecture. How does your security architecture help your business exactly? Know what assets to secure the most and know why.

User Issues

This practice involves a few sub practices as well, such as Accountability and Training and Adequate Expertise. Regarding Accountability and Training, you should establish accountability for user actions, train for accountability and enforce it, as reflected in organizational policies and procedures. When I say users, I mean all the folks with active accounts, in example employees, partners, suppliers, and vendors. Regarding Adequate Expertise, you should ensure that there is adequate in-house expertise or explicitly outsourced expertise for all supported technologies, including the secure operation of those technologies. You have to know whom to call if you have problems with your operating system, laptop, and access to new project data, passwords, security applications, or custom applications that have been developed internally? And that's not all; you should know whom to call when your corporate firewall blocks access to a service that you need, or something similar to that.

System & Network Management

This practice is built from few smaller practices, which are all very important. Those are: Access Control, Software Integrity, Secure Asset Configuration and Backups. We are going to cover them only generally here. Establish a range of security controls to protect assets residing on systems and networks. Consider use of access controls at your network, and use of data encryption technologies (VPN too) as required. Use removable storage media for critical data so that it can be physically secured. Do regular checks and verify the integrity of installed software. Do regular checks for viruses, worms, Trojans and other malicious software or unauthorized software. Also, regularly compare all file and directory cryptographic checksums with a securely stored, maintained, and trusted baseline.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th