It Security, a Step by Step Guide

Kim Hutson asked:

(c) 2008 Kim Hutson

IT security breaks down into two categories, infrastructure security and network security.

Infrastructure security can be identity management, access management, information and event management, for the events side of things, application and data management

Network security is the means by which you protect yourself when you’re in an online or network environment, you need to ensure only the right people have access to your systems.

Security is needed so you can be confident you can transact properly without interruption, it also helps prove any compliance you have to adhere to and proves the capability to a wider business audience, as well as providing evidence to any auditors who monitor your company.

Even if your business is small, you still need security so your customers feel comfortable dealing with you, as well as being able to show any auditors you’re running your business properly and you have the right degree of controls. You also open yourself up to a wider opportunity – if your customers realise they can deal with you safely, your business will increase

Everyone can benefit from good IT security. For example a HR department spends a lot of time setting up and giving access to new employees, IT security can help make that process faster. A finance department can make sure that only those who should have access to certain systems have that access, it’s not just for the boys down in IT!

Information and event access, a way by which you control the security policy on a daily, minute or second by second basis, involves things like dashboards which give you a view as to what is happening, it allows remediation so you can inform relative parties if something is happening which shouldn’t be happening and it allows forensics if you ever had to provide evidence to an authority.

You may need to provide auditors with evidence of what control you have over your IT systems. You need to be able to tell them who has access to which specific systems or the other way round, you may need to tell them what systems a specific employee has access to, also as you traverse the infrastructure you need to be able to monitor what is going on. A good security system should be able to provide all this information by taking all the logs which are collected then collating them, analysing them and ensuring specific reports are produced, these reports should be able to be produced for specific regulatory requirements.

Implementing basic business security should allow employees to easily spot if someone is doing or accessing something they shouldn’t be. If someone wants to reset their own password some basic security questions would be asked to make sure they have the clearance to do this. This would mean that if suspicious activity is reported, it would be easy to follow up and prove or disprove, then help determine a relevant course of action (like have their file suspended pending a management review).

You need a security system which is going to be intuitive as part of the implementation process. When a user gets access to a system the security software will recognise this and learn all the various passwords, this will ensure the user only needs the one password to gain access to the system and that will allow them access, through the security, to a multitude of systems.

Two factor authentications should be possible when setting up any decent security policy. It should be able to recognise and cope with a finger print detector on a laptop or an entryway and an area ID card or an iris detector.

Security software can also help if you’ve forgotten the password to your desktop. Instead of phoning the help desk, you would just be asked a set of predetermined security questions and would then be allowed you to gain access to your desktop again.

You have to constantly be aware of the differences between your security policy and reality because your organisation will be constantly changing; you need to ensure the practical reality is reflecting your intention for your security policy. Your software needs to be able to look at all the millions of events which are happening and then interprets that, then compare it to your intended security policy.

If you have a number of regulatory bodies which you need to report to, you need to make sure the policy these bodies require is enshrined in your security policy, you then need to make sure you’re reporting properly which is something good security software should be able to help produce.

Any report produced needs to be as clear as possible and easy to understand to someone who doesn’t have an intricate knowledge of IT. A comprehensive security system would be able to produce a clear and concise report without needing someone to spend hours going through all the data and ‘interpreting’ it into English.

You may also like...