Stage 1 is much the same for every organization: putting the basics in place and making sure they are working properly. Stage 2 starts to differentiate between organizations. Before taking on a wider range of security controls, organizations should stick with the same list of basic controls but work them harder to get the usagimum out of them, doing that in a way that starts to reflect the differences between individual organizations. There are two sets of questions that drive Stage 2. The first ask, “how much damage the organization believes it could realistically suffer if it had to face each of a number of serious security scenarios?” The second asks, “what level of security exposure does the organization face?” An organization’s answers to the first set of questions will enable it to decide which security measures to prioritize over others. Its answers to the second set of questions will show how high it needs to set its security bar.
WHITEPAPER
IT SECURITY
A STEP BY STEP GUIDE FOR
GROWING BUSINESSES
STAGE 2: CUSTOMIZING THE SECURITY
ESSENTIALS FOR YOUR BUSINESS
www.messagelabs.com info@messagelabs.comWHITEPAPER
ABOUT THE AUTHOR
Dr. John Leach has been an Information Risk and Security professional for more than 20 years. He has held senior positions in the security teams of several organizations, including NatWest Bank, and has directed the security teams of a number of boutique technical consultancies. In December 2002, he formed his own company to enable him to provide consultant services independently.
Dr. John Leach has an academic scientific training. Many of the services he provides build on his ability to analyze security data, model the dynamics behind security risk, and quantify how the countermeasures people apply measurably reduce the security risks they face. He has been an active member of the Management Committee for the Information Assurance Advisory Council (www.iaac.org) continuously since May 2002, and is a member of the International Board of Referees for Computers and Security.
This paper would not have been so well informed as to the profile of today's threats without the assistance of Symantec Hosted Services and the global threat data they provide through MessageLabs Intelligence. Given the nature of its hosted services, Symantec is in an excellent position to capture an enormous amount of homogeneous data about internet-borne security threats. This huge volume of clean data can be used to generate valuable security insights, objective insights based on hard data rather than the more subjective insights, usually based on small-sample surveys or averages across widely diverse data, to which we are normally limited. I am grateful to Symantec Hosted Services for allowing me access to their MessageLabs Intelligence data while I was writing this paper.
Dr. John Leach
www.messagelabs.com info@messagelabs.comWHITEPAPER
MANAGEMENT OVERVIEW
Most small and medium sized businesses (SMBs) find that their security needs are not adequately addressed by the marketplace. Ample detailed technical security advice is available for large enterprises with deep pockets and the need for their security to be comprehensive. Organizations can leave themselves open for problems if they fail to take safeguards and steps to mitigate risks caused by inadequate implementation of proper security controls. However, organizations with more limited needs and resources often find it hard to receive guidance on what to prioritize and where to draw the line. If they are to try and do everything that larger organizations might do for security, but find they can only do portions of this security, then what security controls do they discard? And doesn't that mean they had fallen short on their security duties if the organization ever gets hit by a security problem?
This white paper has been written for those organizations that do not have big budgets. It sets out a flexible three stage approach that helps organizations sort out what their security priorities should be. It sets out a baseline of security controls that all organizations should apply, and shows how they can build on that baseline, maximizing the security protection they can gain from each additional security step taken. Each organization can set the height of its security bar at the level that is right for it today, and can raise that bar if it needs to as their business grows and their security needs evolve.
This is the second part of a three-part white paper series. Stage 1 introduced the three-stage approach, summarized the threat landscape, and described the basic security essentials. The essential security controls that all organizations need to have in place as a minimum can be downloaded from www.messgaelabs.com/essentials.
Before organizations, that have completed stage 1 proceed, to take on a wider range of security controls, they should customize the controls reviewed to maximize the return those security controls in place. In this paper, we will describe how to maximize security controls so it is important to have the security in place as first steps. STAGE 2: CUSTOMIZE THE BASICS
Stage 1 is much the same for every organization: putting the basics in place and making sure they are working properly. Stage 2 starts to differentiate between organizati... [download for more]
