|
|
Advanced
How To Guides
eSecurity
4.2 Design
With a good set of requirements and an understanding
of the real threats to your business, you can identify
the right mix of technical, procedural and organisational
controls needed to meet your security requirements.
Ask the question, does my security program address confidentiality,
integrity and availability of my business information
and IT systems?At this stage, unless you have in-house
expertise, you should get help from an independent consultant
who can outline the various technical options available
to you and help you evaluate the offerings from different
vendors. Keep in mind, Y you cannot lock down everything
because your business would suffer. The appropriate
controls should be devised according to the associated
risk.
4.3 Implement
Putting the security controls into practical effect
is more time-consuming than one would think. This is
a critical area and requires good project management
to balance the implementation of the controls and costs.
Companies use a wide range of internal and external
resources to accomplish this. At a basic level, every
business needs to have someone identified as responsible
for IT security. When installing new systems it is advisable
to check what support the installing company will provide
in terms of security. Use your time with the installation
company to ask as many questions as possible. Sometimes
external help maybe required. The key is to identify
who is doing what and not assume that security has been
addressed by a third-party.
4.4 Maintain / Monitor
With the program implemented, you must ensure that
security is made an integral part of day-to-day activities.
Security must be a considered element to all system
upgrades, such as when new software is installed or
when more computers are added to your network. All too
often, new additions to systems are not made secure.
Monitoring tries to identify potential and actual security
problems, before they become issues that could cost
your company time and money. When a security issue is
identified, you should have procedures in place to stop
further intrusion, limit disruption, save evidence and
prevent the incident from happening again. Believe it
or not, the first thing you should NOT do is turn off
the computer by doing so you may damage evidence.
4.5
Continuous Improvement
Every business needs to keep abreast of current security
issues. It is only through being informed will you be
able to keep your security program current. It is important
that you consider the effect of changes in your business
strategy to your security requirements. It is advisable
that procedures are in place to address changes to your
business strategy that affect the security requirements
of your business information or information systems.
For example,
you have decided that you want your workforce out on
the road selling and you would like them to have access
to base for direct ordering etc. This strategic change
will effect the security program, dial-in issues need
to be considered, authorisation issues etc.
|
|
