|
For most businesses, government agencies, institutions and other organizations, security can at times seem like an overwhelmingly complex challenge. Threats to your data, both real and perceived, loom from all reaches - both external and internal. Hacker attacks, disgruntled or dishonest employees, and competitive snooping are just some of the concerns with respect to protecting proprietary information.
Regulatory drivers are mounting, as well as an ever-growing list of legislation and new acronyms to contend with. In Europe, the EU and individual countries have their own regulations governing the privacy of information including, as examples, the European Community Directives on human rights, electronic commerce, data protection, and privacy and electronic communications and the UK's Data Protection Act. In the US, HIPAA, GLBA, and "SOX" are just a few to contend with. Ona worldwide basis, the Basel II Capital Accord is front of mind for all internationally active banks.
Faced with a long and growing list of international regulations affecting IT security, compliance is viewed as one of the top concerns for many executives. Some of these laws hold organizations accountable for protecting the confidentiality of consumer or patient information. Others require companies to provide detailed and reliable documentation on financial decisions, transactions and risk assessments. And new laws are being passed all the time.
Basic Tenets for Compliance
Unfortunately, there is no single "one size fits all" implementation solution for complying with all the rules. But there are some basic strategies companies can use that will help them better deal with the security and retention of electronic data and lay a proper foundation for building their own framework to help comply with these regulations - and to protect proprietary business information.
If one were to break down the basic building blocks for constructing a security foundation, they would certainly include these basic security elements:
- A sound security policy - establishing the proper processes and procedures for how employees and systems should handle sensitive information.
- Proportionate to the threat - security is a form of insurance so make sure it is clearly targeted at protecting your most critical assets from the most likely or most damaging risks.
- Data encryption - to protect the privacy of consumer, patient, financial, or other sensitive information.
- Strong authentication and access controls - to ensure that only the people with a proper "need to know" have access to,or can change sensitive information.
- Data integrity checks - to ensure that the information has not been altered
- Continuity of service - to ensure that operations are not disrupted for any significant period of time.
And most importantly, establishing internal awareness among your employees through education on your security policies. The proper use of security technology can go a long way towards compliance.
Sound simple enough? In theory, yes. But in practice - not always.
A Visit to the Security Scrapheap
Organizations have expended enormous amounts of energy and money to address these threats and drivers over the past few years - oftenwith very little in tangible results to show for it. Expensive PKI projects and other security initiatives can remain perpetually in pilot due to complexities of implementation, support and lack of end user acceptance.
And those who have been successful in deploying sophisticated solutions within their organizations often find themselves isolated on islands of security due to incompatible technologies, infrastructures, and policies between themselves and their external customers and business partners.
So all the hype about security solutions - PGP, PKI, smart cards, biometrics, automated security policy enforcement, client authentication, message security, VPNs, access control - all too often remain hype. It really shouldn't be this difficult.
A Pragmatic Approach to Security
According to Bruce Schneir, an internationally renowned security technologist and author, "The more complex a security solution is, the less likely it will be used". Rather than throwing money at the latest technology, a more pragmatic approach to protecting information would start with determining what information your organization is trying to protect and how, assess the existing and planned infrastructure within which the solution must operate, and most importantly identify who the users are - both inside and outside the organization - and their usage context.
|
