This excerpt is from Chapter 2, Securing the Enterprise, of the free e-book From Chaos to Control: The CIO's Executive Guide to Managing and Securing the Enterprise, written by Don Jones, published by Realtimepublishers.com and available at http://www.netiq.com/offers/ebooks.
Areas of security concern
What do you care about when it comes to security? I once worked with a regional telecommunications firm that didn't bother to seriously secure any of their file servers. They made it clear that everything on those servers was open to pretty much anyone in the company and that anything requiring a higher level of security would need to be kept in the company's mainframe, which is where they'd invested all of their security efforts. The lesson is that you don't have to secure everything in your organization; you simply need to decide what you will secure, and make sure that everyone in your organization is on the same page.
Security must be pervasive
Security is far too often treated as a separate entity and the last thing anyone thinks about. Even Microsoft used to be guilty of such behavior: Prior to Windows Server 2003, Microsoft's primary concerns were ease of use and general code stability. Security was nearly always an afterthought, implemented through minimally featured add-on tools such as the Baseline Security Analyzer.
Every new corporate project -- regardless of whether it involves IT -- needs to consider the security ramifications of the project. Security should not be implemented by some specialized department within your organization; you might have such a department, but their job should be to advise and educate other department heads. Security must be a part of every decision made.
To continue picking on Microsoft for a moment, consider the company's Win2K certification exams, which include exam objectives such as "managing file access" and "managing DNS." Near the end of the exam, there is a short collection of objectives such as "securing file access" and "securing DNS," as if those were separate topics! Newer exams correctly require candidates to "manage, monitor, secure and troubleshoot" resources as a single set of tasks, which is exactly how things should be.
Just as every management decision must be viewed in terms of its costs and impacts on profit or productivity, every decision must also be viewed in terms of its impact on security.
How secure is your "physical plant?" I've already mentioned the surreptitious janitor that made off with a computer, which probably contained at least a little confidential data. Physical security is easily overlooked, in part because it's so difficult to efficiently secure. Locked doors and filing cabinets, sure, but locking computers to desks? Install paper shredders every 30 feet? Encrypting files in case the hard drive is stolen? Each of these measures is reasonable in the right circumstances; you'll need to decide when those circumstances are your own.
From a policy standpoint, you need to express in writing what you feel are reasonable vulnerabilities or situations. For example, you might work inside a facility that requires photo IDs and posts armed guards to ensure that the IDs are used correctly. In that case, worrying about somebody sneaking in and plugging into the network might not really be a concern. However, your company might work in a startup "incubator" in which your resources are practically public property; worrying about someone plugging into your private network might be a very real and immediate concern. One way to approach physical security is to decide how likely it is for different threats to actually occur and how big an impact it would be on your business if it did occur. To do so, you can use, as a starting point, a simple worksheet.
> Read the rest of the excerpt from Chapter 2, Securing the Enterprise.
This was first published in July 2003