Taking stock of security

Where do you start when coming up with a company security policy?

What do you need to do to at least get a handle on the tasks you have to do that make up a good security policy inside your organization. This tip, excerpted from InformIT, discusses where to start looking.


Everyone's aware that the boundary between the inside and the outside of an organization is where the barriers against bad guys are needed. Unfortunately, the barriers inside an organization, which are far too often overlooked, may be even more important than those on its periphery. An FBI analysis of security exploits from 2000 indicates that over 70 percent of all such events originate inside organizational boundaries.

That's why any systematic attempt to take control over system and network security must begin with an assessment and review of the current state of security in that environment. This means inspecting and analyzing user rights to systems and resources as well as file and folder permissions on servers, desktops, and in distributed file systems. A thorough understanding of default security settings on the operating systems and in the applications you use is also required. This is because in most cases, access controls seldom deviate from those defaults.

On the other hand, it's essential to understand what kinds of security requirements can meet your organization's needs to protect valuable assets, restrict access to confidential or sensitive information, and manage access to routine information on the right kind of "need to know" basis. (For example, if Bob is Fred's manager, Bob needs to know how much Fred earns; if Sally doesn't work for Bob, he probably doesn't need to know how much she makes.) This kind of information needs to be compiled on the basis of job roles and information resources across an entire organization. When represented properly, a document called a security policy states these requirements in an intelligible way.

Proper security management is possible only when a series of surveys is performed, and changes are instituted to match actual security settings and controls to an organization's security policy. At that point, the security routine can begin, as you monitor your systems and networks for potential vulnerabilities and respond to threats or incursions, and start to execute regularly scheduled security maintenance activities. This ongoing round of work explains why some experts think of security as a "state of mind" and why others call it process rather than a destination. For my part, I like to state that security is something that's never finished -- there's always something more to do!


Ed Tittel is president of LanWrights Inc., in Austin, Texas, and is also a frequent contributor to several TechTarget Web sites.


This was first published in December 2001

Dig deeper on Windows Server Monitoring and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close