Information Security Best Practices
Information security managers are well aware of the best practices outlined below. But the question remains: Why aren’t companies better able to secure their intellectual property and the sensitive information they hold about their customers? Because attaining adequate levels of security is extremely challenging and requires a daily enterprise-wide commitment starting at the highest levels of management. While there is no IT security cure-all, information is ubiquitous, and since organizations will continue to increasingly inter-connect their customers, partners, and suppliers to their business-technology systems more must be done. The biggest obstacles to IT security within organizations today are the lack of senior managements’ commitment to drive a “culture of security” and set the proper tone throughout their enterprises, a lack of employee security awareness training, and a failure to consistently adhere to strong security best practices and procedures. By doing so, embarrassing and costly data breaches could be greatly reduced.
To help mitigate data breaches, organizations need to:
1) Classify and Determine the Value of Data and Business-Technology Systems
Security professionals know that before any data can be cost-effectively protected, it must first be classified. The first task in risk assessment is to identify, assess, classify and then decide the value of digital assets and systems.
Many executives consider the most difficult aspect of a risk assessment is to uncover the abundance of system and configuration vulnerabilities that place their systems at risk. Not so: An abundance of tools are available to help automate that task. It's deciding, organization-wide, the value of their data and intellectual property that is one of the most daunting tasks security professionals confront.
How much is the research and development data worth? How much will it cost the organization if it loses access to the accounting or customer-relationship management systems for a day? Without knowing the value of information, and the systems that ensure its flow, it's impossible to make reasonable decisions as to how much should be invested to protect those systems and information. It makes little sense to spend $200,000 annually to protect information that wouldn't cost an organization more than $25,000 if it were exposed or lost. Tough decisions relating to the value of information need to be made. And that means bringing together management, legal, human resources, physical security, and other groups within the organization.
2) Adhere to Network Security Basics