In a perfect world (like the one we're not living in), every company should have a predefined, straight and ready to implement attitude over the security in the company. It is considered an advantage to recognize a problem even before a problem becomes an emergency. On the other hand, if that is not the case, following and researching these suggestions should help every IT manager in successfully implementing basic security measures and by doing that, ensure their organization has done the basic efforts to defend themselves from the dark side of the cyberspace.

IT security managers must establish an appropriate information and Internet security policy and an auditing process. Security in their company must be seen as an essential part of their business survivability. Also, security processes must be an everyday activity, not something you do once and forget about it, as security itself is such subject that it is changing not even daily but hourly. There are legal authorities whose job is to process complies if something goes wrong and their security forts fail to respond properly, and management must be aware of these bodies.

Policy

Security policy must provide written rules that are saying how computer systems should be configured and how organization's employees should conduct business before they use information technology. Policies have to be well controlled, and they will be the baseline for implementation. If we do not have a policy, there will be no plan upon which an organization can design and implement an effective security program. You have to ask yourself about most important security policies, and what is their role in helping achieving business objectives. There are a number of sub policies, which we will not cover here, as this article is about implementing only basic security measures.

Risk Management


Ask yourself - how does your organization identify critical information assets and risks to those assets? What are the potential financial impacts of a successful attack against these assets? Do you have any insurance policies to mitigate and transfer potential losses for your information security risks? Risk management is about conducting an information security risk evaluation that identifies critical information assets (i.e. systems, networks or data), threats to critical assets, assets vulnerabilities and risks. You should identify the adverse impacts when risks to critical assets are realized, and quantity the financial impact to the greatest extent possible. Do have a risk mitigation plan resulting from the evaluation, and ensure there is a regular review and management of the risks to critical information assets.

Security Architecture & Design

You should know the primary components of your organization's security architecture. How does your security architecture help your business exactly? Know what assets to secure the most and know why.

User Issues