Anti-virus and anti-spam protection, DNS security, database protection, and intrusion detection and resolution; these are all goals that every company pursues, and some deal with it better than others. Choosing the solutions to protect the information you need, and eliminate the information you don’t is, fundamentally, nothing more than a business problem. And this business problem has many solutions: proprietary vs. open source, in-house vs. outsourcing, hardware focus vs. software focus, etc...
As you look to determine what solutions will maintain your security, use this document to help you understand how to apply an intelligent strategy and policy in protecting your business-critical information. It will help you define your security needs, assess ways of achieving these goals and understand how to implement them in three distinct stages: prepare, defend and react.
- Prepare: Rights and responsibilities, risk analysis and security team.
- Defend: Monitoring your infrastructure and implementing security changes.
- React: Detecting breaches, restoring functionality, reviewing policies.
This strategy will be particularly useful do what is necessary, not merely just follow trends. Issues to be understood at each step include total cost of ownership over time (mostly due to maintenance costs/security breaches), open source versus proprietary software and single vendor versus multiple vendor solutions.
Usage Policies: Rights and Responsibilities
Take the time to do an overview of who is responsible for what task, in regards to your security needs. This mostly pertains to larger organizations with a larger IT team, and if so, is usually more complex. Whatever your size, disciplinary action used in the event of an employee security breach, and the ways to prevent such action, should be well defined. Articulating this is important, no matter how small its chance of occurrence. Additionally, defining these responsibilities with business partners is also important, as ambiguity is clearly something your business wants to avoid in such an event.
Often, organizations that stress security elminate some problems from these issues. In preparing these policies, written or not, you should understand that anyone who tells you security isn’t about some level of compromise is naïve, lying or both. Guardian Digital, by our definition, stresses security as the paramount concern. Usability, performance and reliability are key, but the prevalence of internet threats, and the legal and monetary damages they can cause, take precedence over the costs of not have such stringent security.
Establishing this policy strategy is most important for administrators. For those with the highest level of responsibility, a plan for who administers accounts, enforces policies, and reviews program and task privileges, is absolutely critical. Defining policies regarding user passwords or the handling of data is important as well. Obviously, the more control your software has over privileges, and its ease of use in enforcing such restrictions, the more consistent and effective your security will be.
In addition, by increasing your payroll unnecessarily, you also dilute your security. Achieving the best level of security possible, often involves minimizing the number of people that have access to administrating responsibilities; a win-win situation for your business if implemented correctly.
Assessing Risk
The goal is to identify risks to your data, network resources, and network in general. Often, doing so doesn’t require identifying every entry point into your network, or every means of attack; it’s all about compromise. The more critical you are of your vulnerabilities, the greater your chance of stopping a potential threat. Assigning overall portions of your network a threat rating and applying the appropriate level of security is valuable, and helps to gauge the level of security needed for each section.
- Low Risk: Data and systems, that if breached (lost and corrupted data, or viewed by unauthorized personnel) would not disrupt the business or cause legal or financial problems. The specific system or data is easily restored and contained.
- Medium Risk: Systems or data that if compromised would cause a moderate disruption in the business, minor legal and financial ramifications, and have some level of containment. The system or data requires moderate time and effort to restore.
- High Risk: Systems or data that if that can cause an extreme disruption in the business, cause major legal and financial ramifications, or threaten the health and safety of a person. The targeted system or data requires significant effort to restore and cannot be contained to certain sections.
