IT Security

IT Security

Introduction

Computer networks are operating in an increasingly risk-prone environment. Hackers, competitors, dishonest data brokers, and disgruntled employees have a seemingly endless menu of attacks to choose from these days. Companies can build their computer system's defenses just as they would strengthen their body's ability to ward off infection by developing a regimen of "healthy" practices and sticking to it.

The following steps are recommended as a guide to consultants or in-house information systems (IS) security professionals who are called on to secure a corporation's network. These steps can help management ensure that the proper computer security policies and procedures are put in place and that they are followed by all employees.

Develop Principles

The company should first develop an official IS security policy with guiding principles that communicate corporate security objectives. This policy serves as the foundation of the organization's security infrastructure. Principles should be developed with input from information systems personnel or other personnel responsible for any portion of the information stored on the network. They must also receive the full support of senior management. In addition, the plan should serve (not hinder) the overall corporate mission.

The policy should include a discussion of computer security responsibilities, penalties for noncompliance, and classification of information. It should also address viruses, physical security of network components, telecommunications security, and Internet and remote access. In addition, it should include procedures for network intrusions, laptop security, and data backup and restoration. (Avolio, 2000)

Responsibilities

This section gives employees specific instructions on their roles in protecting the network. For example, the policy can explain the importance of safeguarding passwords and never giving them to anyone under any circumstances.

It is also a good idea to include a passage on social engineering, a technique used by outsiders to obtain information from unsuspecting employees. A hacker, for example, might call claiming to be a technician working on the network who needs the employee's password. The policy should tell employees what to do if they receive such a call; for example, the policy might require notifying IS personnel.

Penalties

As the old saying goes, the punishment must fit the crime. If the company is serious about network security, it must be ready to mete out penalties to those who violate policy, but penalties must be reasonable.

Classification

Information should be given a confidentiality rating based on the damage that would result if it were lost or stolen. The policy should state how these ratings are to be assigned and who can access the information in each rating category. It should explain where on the network classified information should be placed and whether additional safeguards are needed. It is a common practice to divide the classification into levels from zero to five, depending on the impact that will result should the information be disclosed, altered, damaged, or deleted. Zero would signify no impact, while five would represent a catastrophic impact. For example, a personnel database, the corporate five-year plan, and executive e-mail messages would be level five, basic public information level ...