Top to Bottom Best Practice
Aberdeen says best practices for governing security span a wide range of activities, from board involvement to what happens daily within the enabling technologies that support an organization's missions. In between, security is fundamentally about how people interact with information systems.
More specifically, Aberdeen research shows that firms operating at best-in-class levels emphasize repeatable procedures, effective management of data and knowledge, an efficient and transparent organizational structure and strategy, and enabling automation technologies that assist with responses to business pressures.
"Most share this sentiment expressed by one respondent," Aberdeen says. "'There is no such thing as a silver bullet or a single source for security, and there never will be.' But most organizations automate when speed, business cycles or business seasonality force them. Many of the firms humbly admit their security programs still have a long way to go before reaching their full promise."
Aberdeen emphasizes that enterprises must maintain control and security of networks and systems. "Enterprises are struggling with trying to balance flexibility and agility with managing the risk that comes with unfettered access to information among employees, customers, business partners and suppliers."
CIO magazine polled practitioners and analysts for their own list of network security best practices.
1. Assess Your Risk
You cannot hope to cost-effectively secure the enterprise until you have conducted a comprehensive risk analysis. Seek to adopt a risk management methodology that will let you weigh the risks and costs of enterprise-wide protection. This is turn will help you prioritize the strategies for becoming secure.
"The concept, basically, is 'not all threats are created equal'," BioPassword's Wood says. When Wood became CSO at Microsoft he realized that if he signed up to a pledge to protect the company, he was setting himself up for failure. IT pros know their companies are susceptible and vulnerable to attack. Since no operating system is created invulnerable and no network is created impenetrable, nobody can promise to provide total security, he says.
"I knew I couldn't [completely] protect the company, and I knew if I tried, ultimately something would happen and we would fail," Wood says.
Instead, he took a macro-economic view of security, which involved dividing assets into categories, identifying key vulnerabilities against each asset and then assessing the relative probability of an attack against the detailed mitigation perspective he took into the exercise. Ultimately the team was able to come up with a number for each category that represented a high, medium or low probability of an event. "That allowed us to prioritize, if you will, the strategies for getting healthy or getting secure."
Not only did that let him allocate greater resources to the highest risk, it also gave him a way to communicate to the executives the entire risk or threat profile, so that they could understand which ones were not being acted against.
"In my role the most important thing in retrospect that I did was communicate what we weren't going to protect: the problems that we weren't going to fix, because the ones that you address, everybody knows about. The one you get rewarded for is for the attack that's never successful.
"For example, with respect to susceptibility to mass propagating worm virus, we set up a threshold and said 99 percent of the machines of the company, of which there were more than 300,000, would be protected - patched . . . We knew that 1 percent of machines in the environment would always be susceptible to an attack, whether to a worm or a virus or credential harvesting or otherwise, but what we said was 99 percent would be successful, and we had some strategies around the network to make it less damaging if the 1 percent became infected ultimately."
Consideration of the inherent security risks should become a part of the evaluation of any new technology.
"The most important thing to do before getting into the technology, getting into introducing controls like firewalls and stuff, is to actually understand the risk [of the new technology]," says Neal Wise, a partner with security service provider Assurance.com.au. "The most important thing for an organization to do is a risk assessment activity that allows them to ascertain the critical functions of the organization, and that in turn will identify the critical organizational infrastructure that supports those functions, which will include technology."
More often than not, people will jump immediately to the technology aspect of the solution. Inevitably that may come into play, but without actually having strong planning and having a supporting organizational policy and governance, before actually getting into the technology areas of security, you will be basically investing without actually having a context to make that investment in.
Depending on the size of the organization (some organizations will have internal audit personnel who may do some aspects of the risk assessment), the most effective way for many organizations to conduct a risk assessment is to assemble a group of interested stakeholders from affected areas, including technology, organizational management and finance, to contribute to the overall risk assessment. Security should be a consensus activity, Wise says. One person may have the responsibility for collecting the information, but they should acquire that from all parts of the organization in order to gain the complete picture.
"We tend to measure the value of our investments against the risk in dollars that we can mitigate," American Water's Larson says. "That's the business's decision, but the key point is the quantification of risk avoidance value in our investments."
"Really, what it boils down to is having an operational risk focus and driving the ownership of that risk back into the business, because they're the people who can really make decisions about what is the cost versus the risk," says one Australian CIO. "The IT security people are really just there to . . . facilitate that risk assessment but they're not the people who can be saying yes or no."
- +
Process Trip 04 February, 2008 13:07:03
Why Maritz Travel revamped key business processes — and how business and IT came together to make it workWhen Rich Phillips became COO OF Maritz Travel about two and-a-half years ago, he sat down and took a hard look at the big industry picture - +
Ticked Off at Tick the Box Mentality 04 February, 2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
Strategies for Dealing With IT Complexity 24 December, 2007 10:30:47
Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.Every innovation, every business process improvement, comes with an IT complexity tax that must be paid by CIOs in time, money and sweat. Here are strategies to mitigate the increasing complexity of IT as it enables new business.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. - White PaperJoin Lee Benjamin, a Microsoft Exchange MVP and Ryan Shipkowski, network administrator for Matthews, to discuss the process and ROI of implementing an email archiving solution, with emphasis on a case study from Matthews International.
- White PaperJoin industry expert Martin Tuip to discover best practice strategy for the archival and removal of .PST files using email archiving. Learn how to ensure long-term email records are there when needed, and reduce the risk to your business and clients.
- White PaperWhat you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Chris Hoff on Virtualization and Cloud Computing 20 November, 2008 10:55:00
Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important - but rather because it is vital and needs to mature rapidly. - +
Cybersecurity is focus of new start-up incubator 20 November, 2008 07:19:00
Texas uni announces the Institute for Cyber Security.The University of Texas at San Antonio Tuesday announced a technology incubator aimed at fostering IT security-based start-ups within the state. - +
Dilip Sarangan on Physical Security M&A 20 November, 2008 11:18:00
Dilip Sarangan tracks physical security companies for Frost & Sullivan. He expects the industry's "need to have" products to weather the economic storm well, with the big players (now including IBM and Cisco) looking for value-priced acquisitions. - +
International Challenges in PCI Security 20 November, 2008 09:15:00
In a country that's seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective. - +
PCI council sharpens oversight of security auditors 19 November, 2008 10:53:00
Quality assurance plan targets security assessors and scanning vendorsThe PCI Security Standards Council Monday unveiled a plan to sharpen oversight of the hundreds of security-service providers now authorized to evaluate merchant networks under the organization's Payment Card Industry data standards.
Vignette Announces 2008 Excellence Awards 21 November, 2008 10:50:00
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 20 November, 2008 12:02:00
|
||
|
||
|
|
||
|
CRM your salespeople will love
Winning over the sales department and obtaining buy-in at all levels is crucial to the success of any CRM initiative. Discover how you can let salespeople work how they want to and reduce their administrative burden with the latest CRM technology.
Buying Guides
Buying Guides
