Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Operating IT Security Practices as a Managed Process

InfoSecurity Europe : 09 March, 2010  (Technical Article)
Martyn Smith of Logically Secure explains the advantages of viewing security as rather more than software out of a box in order to operate effective information assurance in the organisation
See our events guide listing for more details

Information Assurance is about much more than placing barriers between attacker and target. Instead, procedures and controls must be woven into the fabric of an organisation; security must become part of normal business, rather than an additional set of measures surrounding it, if it is to be truly effective. Security is not a product it is a managed process, it has no end state; it's a state of mind.

The problem is how to ensure that daily business is as secure as possible whilst maintaining the flexibility to respond to changing or unforeseen circumstances. Trading flexibility for rigid measures will neither assure security nor enhance business. However, abandoning security solely for the sake of that flexibility would be reckless in the extreme.

The introduction of incremental security can help many businesses large and small to develop or metamorphose their practices to promote a gradual development of workable processes and the seamless integration of appropriate technology. Even where security practices are already in place, it can be beneficial to start again from the beginning; adding, refining or replacing outmoded and missing measures.

The real trick is to recognise the point at which further measures add little value to the overall protection of the business, or at least that they extend beyond the value of its outputs and the amount of risk it is willing or able to take. A check of the measures in place can be achieved by audit against a recognised standard by a qualified individual, but the subjectivity applied to the results often yields either no clear assessment of effectiveness or a false sense of achievement. Although, it is still beneficial to have an impartial eye cast over security measures if an organisation wishes to hold itself up as an example to others.

Also, organisations who out-source often do not looking at potential providers' security, or lack of it, to ensure it will not undermine their own. Having taken strong measures to protect information within the business, which becomes at risk when sent to a service provider, it is of paramount importance that both parties can understand and articulate their respective positions in relation to the security they provide and expect in return. Assurances are one thing, but verification of the very same policies and practices being present in both companies would be significantly better. Always remember the adage that "Trust is the absence of a control measure."

Finally, the single biggest reason for systemic security failures in any organisation is the lack of support for the policies and procedures that make up the organisation's security measures. This support is critical. The value of formulating policy and procedures and deploying technological barriers is lost if there is no firm commitment the executive body. Executive boards must ensure that they formally endorse and fund all policies at board level and demonstrate their own adherence to those policies. Successful spear phishing attacks are usually as a result of senior executives ignoring the procedures they impose on their staff or an insistence on having unnecessarily high level privileges on their IT system. As was mentioned at the beginning, security is a process, and one that requires all parts of the organisation to follow it.

Certified Digital Security is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27th - 29th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo