The best security practices are those based on the proactive management and supervision of several key elements including services, methodologies, mechanisms and technologies. Information security involves a great deal more than technology alone and therefore simply acquiring anti-virus software or installing a firewall or both will not guarantee everlasting protection.
The first step towards improved security is to identify what it is that has to be protected and from there on build a security framework based on policy, says Carrick. These two fundamental actions from part of the security lifecycle concept or the phased approach to covering all bases within the information security arena.
"The lifecycle begins with the determination of assets, the possible threats to those assets as well as the vulnerabilities and potential risks these assets are exposed to. An organisation has to understand what it is they have to protect and information that is being disseminated has to be reliable. Organisations cannot afford to have the security of their communication compromised in any way and technology alone is not the solution," explains Carrick.
"A common pitfall and ultimate Achilles Heel for many businesses is that decision makers often come to rely entirely on the solution to sort out any potential security problems. One must remember that the cycle incorporates far more than just IT. People, processes and technology all form part of Information Security," he adds.
Once this phase is adequately managed, all vulnerabilities are identified, risk assessed and a full business impact analysis completed, the organisation can then move on to the strategic planning phase
"Now the business has to establish an information security framework by setting up policies. These would include counter measures and contingency plans should something happen. The objective, of course, is to prevent problems, but you must have that 'what if' scenario playing some role. As a reseller you must have a plan B if the supplier can no longer trade, the fruit and vegetable shop has to have a second supplier should his main supplier fail to provide the service for whatever reason. From an IT perspective, anti-virus represents the 'what if', but it is serves no purpose if it is not updated," explains Carrick.
The processing phase, relating to IT, would incorporate solution implementation and implementation management. However, the business cannot simply implement and then roll out to the rest of the organisation and then attempt to manage the consequences warns Carrick.
"Proper planning is imperative. Once full project planning derived from the strategic planning phase has been completed, the organisation must create an accurate and effective pilot environment that would serve to simulate how the solution works within the business. There are vital considerations and a proper planned approach is crucial. Training and awareness is also key so as to get the most out of the product," adds Carrick.
Assessment, Strategic planning and processing all culminate in the fourth phase or auditing phase. The organisation uses this step to ensure that people are complying with the policies laid out and the solution, based on adequate pilot testing, is living up to expectations.
"Polices are geared to steer an organisation within a specific direction. In a sense they are the law of the company – it is no good simply establishing a policy and not enforcing them through regular inspection and supervision. This is necessary not only to make sure that people are following instruction but also to monitor whether or not the product is performing and if the solution works. Managers must be proactive to solicit reports, correct logs. The product is only as good as its latest update – remember technology is only one part of the security lifecycle," concludes Carrick.
MicroZone
Chris Tredger
Tel: (012) 803 6335
