Internet Security Focus: Assess risks to ensure security

Origin: TechRepublic (http://www.techrepublic.com)
Date: 05/05/2003

Proper security requires more than firewalls, patches, and antivirus updates. It also necessitates a systematic, structured approach- or your design might end up with many gaping holes. This type of approach will save you more time than you invested in the planning, and it could save your job as well. Before you begin, consider the following best practices for network security.

Perform a thorough risk assessment

To secure a network, you must perform a thorough risk/threat assessment. Remember that this isn't a one-person or one-department show. Consult widely within the company to get the big picture and all of the little details.

First, get an executive with clout on your side--someone who can back your efforts. Then draw up a detailed list of questions that need answering and run it by colleagues and peers. Keep this list open by asking the people you interview what else they would like to add. This often generates questions and concerns that you may not have thought of before.

Questions should start with general issues and work down to the particulars. Ask the executives, managers, and department heads about the company's business plan. The annual report is a useful and often overlooked source for such information, plus it provides a good overview of your corporate structure.

As a word of caution, don't simply distribute a questionnaire with a deadline attached to it. You'll most likely receive a rushed response, probably from someone who was delegated the task but doesn't have the time or inclination to answer with the needed thought. Instead, set up meetings and interview people. It will get them thinking about security, even after you're gone.

Determine the value of assets

When performing risk assessment, keep in mind that to determine the risk, you have to determine the value. The more value an asset has, the greater the need for its security. This may seem pretty obvious, but it's something that people often lose sight of. In addition, it's not always obvious what those "assets" are.

Here's an example: A consultant interviewed the CEO of a large corporation. At the end of a fruitful discussion, both were pretty certain they had it all covered. It was over coffee that the CEO proudly revealed that his company's new product was sure to take the market by storm.

Further investigation by the consultant revealed that the engineers who were working on the product carried around highly confidential information relating to the product development on their laptops--unencrypted. E-mail relating to the project wasn't encrypted either.

Once you have the big picture about your company's structure, business processes, communications, and assets, you'll have a good idea about what needs to be secured. Sit down to discuss the best ways to secure these, as well as to establish immediate, short-term, medium-term, and long-term goals. If necessary, provide training for the IT department to accomplish your objectives.

Once the plan is implemented, monitor the security setup on an ongoing basis. In addition, be sure to review your security plan regularly, because as companies change, so does the security landscape.