The Proper Balance

Solutions and Recommendations

In addition, striking the right balance between functionality and accessibility is a critical facet of IT security supporting e-commerce. It involves six basic steps:

1. Conduct routine assessments of vulnerabilities. Routine means goingbeyond perimeter technology assessments and putting a heavy emphasis on the internal network and application services. Vulnerability scanners that perform the basic scans to examine vulnerabilities in computing platforms can be obtained at little or no cost. Fix the vulnerabilities within the enterprise! Every major software vendor has extensive information on how to secure an operating system, depending on the use. An example of this is securing Windows NT and IIS: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/tools/chklist/wsrvsec.asp. (Refer to the list of recommended readings for other resources.)

2. Write a policy that is clear, concise, relevant, up-to-date and maintainable. Adhere to policies and educate users while maintaining them. Without a policy, there is no set of standards upon which to measure company activities. It is equally important that a policy contain more than platitudes. If it has no teeth, then why bother writing a policy that will never be enforced? People will do what is inspected and not necessarily what is expected from vague, generalized policy statements.

3. Develop a set of minimum security best practices for implementation on all platforms. This includes desktops, servers, routers, firewalls, applications (e-mail, Web servers, etc.). Relying solely on a secure perimeter without hardened systems leads to a false sense of security. Implementing an e-mail server, without making it a hardened system for an e-mail service, is just asking for trouble. It takes little time and effort to harden an e-mail server. If everyone has a Windows workstation, when was the last time any security patch was installed and how many varieties of Windows does the company use?

4. Educate employees. Teach developers how to incorporate sound security practices into applications. Teach end-users the “do’s and don’ts” of good security. Post-It Notes with the password on the side of a terminal or under a keyboard, for example, are unacceptable. Strive to keep staff informed! Education and awareness are two of the least expensive ways to mitigate enterprise risk. Everyone likes to poke fun at Microsoft as it ventures into making its products more security aware. But how many companies write custom code or buy application packages without a single thought as to how secure that code really is?

5. Review company processes. Make sure that processes exist where they are needed. Does a process exist for system backup? What about protecting those backups? What about moving those backups off-site? If those processes exist, are they regularly tested? Implementing a SAN (storage area network) or any other new storage technology does not eliminate the need for some simple testing. It is too late to find out that all those backups or mirrored files are worthless when the need to restore arises. Test…test…test!

6. Streamline processes. Processes that are unpleasant to perform or feel unnecessary to the employees are less likely to be followed — despite their importance in ensuring security. Although security processes may never be fun, they should be easy to follow.

The purpose of good security architecture is to keep a network and its computers secure. It is not supposed to obstruct the course of doing business, nor is it intended to reduce the functionality of the tools needed to perform a job. A good security system does not work against company processes. It should mesh with current computer usage and system design, benefiting the enterprise as a whole.

Patrice Rapalus, Director of the Computer Security Institute (CSI), remarked with respect to the findings of the 2002 Computer Crime and Security Survey,

“Over the seven-year life span of the survey, a sense of the ‘facts on the ground’ has emerged. There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace. Post-9/11 there seems to be a greater appreciation for the significance of information security, not only to each individual enterprise but also to the economy itself and to society as a whole. Hopefully, this greater appreciation will translate into increased staffing levels, more investment in training and enhanced organizational clout for those responsible for information security.”