Tip

Securing the Enterprise

Written by Don Jones; Published by Realtimepublishers.com

This excerpt is from Chapter 2, Securing the Enterprise, of the free e-book From Chaos to Control: The CIO's Executive Guide to Managing and Securing the Enterprise, written by Don Jones, published by Realtimepublishers.com and available at http://www.netiq.com/offers/ebooks.

    Requires Free Membership to View

Areas of security concern

What do you care about when it comes to security? I once worked with a regional telecommunications firm that didn't bother to seriously secure any of their file servers. They made it clear that everything on those servers was open to pretty much anyone in the company and that anything requiring a higher level of security would need to be kept in the company's mainframe, which is where they'd invested all of their security efforts. The lesson is that you don't have to secure everything in your organization; you simply need to decide what you will secure, and make sure that everyone in your organization is on the same page.

Security must be pervasive

Security is far too often treated as a separate entity and the last thing anyone thinks about. Even Microsoft used to be guilty of such behavior: Prior to Windows Server 2003, Microsoft's primary concerns were ease of use and general code stability. Security was nearly always an afterthought, implemented through minimally featured add-on tools such as the Baseline Security Analyzer.

Every new corporate project -- regardless of whether it involves IT -- needs to consider the security ramifications of the project. Security should not be implemented by some specialized department within your organization; you might have such a department, but their job should be to advise and educate other department heads. Security must be a part of every decision made.

To continue picking on Microsoft for a moment, consider the company's Win2K certification exams, which include exam objectives such as "managing file access" and "managing DNS." Near the end of the exam, there is a short collection of objectives such as "securing file access" and "securing DNS," as if those were separate topics! Newer exams correctly require candidates to "manage, monitor, secure and troubleshoot" resources as a single set of tasks, which is exactly how things should be.

Just as every management decision must be viewed in terms of its costs and impacts on profit or productivity, every decision must also be viewed in terms of its impact on security.

Physical security

How secure is your "physical plant?" I've already mentioned the surreptitious janitor that made off with a computer, which probably contained at least a little confidential data. Physical security is easily overlooked, in part because it's so difficult to efficiently secure. Locked doors and filing cabinets, sure, but locking computers to desks? Install paper shredders every 30 feet? Encrypting files in case the hard drive is stolen? Each of these measures is reasonable in the right circumstances; you'll need to decide when those circumstances are your own.

From a policy standpoint, you need to express in writing what you feel are reasonable vulnerabilities or situations. For example, you might work inside a facility that requires photo IDs and posts armed guards to ensure that the IDs are used correctly. In that case, worrying about somebody sneaking in and plugging into the network might not really be a concern. However, your company might work in a startup "incubator" in which your resources are practically public property; worrying about someone plugging into your private network might be a very real and immediate concern. One way to approach physical security is to decide how likely it is for different threats to actually occur and how big an impact it would be on your business if it did occur. To do so, you can use, as a starting point, a simple worksheet.

> Read the rest of the excerpt from Chapter 2, Securing the Enterprise.


This was first published in July 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.