Advertise Here!Call +234 (0) 8035007778
Processes that Secure Computing
All the benefits of information technology can disappear in an instant if your systems are not secure. Even though Computers have revolutionized how businesses are run, we all know that security threats are now a fact of life.
The level of dependence on IT increases rapidly each day. But as dependence increases so does the associated risk. The threats have multiplied as well. Now your system can be infected not only from the stray games diskette but also from computers anywhere on the globe. If you want to benefit from your IT investment, you need to secure your information infrastructure. Start by practicing safe computing. Continuity of operations and correct functioning of information systems is critical to businesses. Threats to computerized information and process are threats to business quality and effectiveness - corporate survival is at stake!
Computer Security is the responsibility of everybody who has access to computers and computing facilities. Everybody, not just system auditors or systems professionals, need to be well informed about practical computer security. You must be able to know what is safe computing and what is not. One of the ways of doing that is by identifying the processes that secure computing.
The objective of IT security is to put measures in place,
which eliminate or reduce significant threats to an acceptable level.
Security measures must be implemented to protect data, software, and
hardware against accidental or deliberate loss, disclosure, or
corruption. To address security threats such as hackers, worms and
viruses, as well as vulnerabilities/software flaws that compromise
computers, networks and intranets.
There is a need for measures but measures are not
processes. Good security will not just drop down from the heavens. All
concerned must understand their responsibilities. This is why there is a
need for an explicit statement of policy. The security policy must be
reinforced with regular training and communications designed to foster
awareness of security issues, as well as a working atmosphere in which
good security is desired and routinely achieved. Awareness of the stakeholders is essential for the effectiveness
of any form of security.
The type of security policy you use depends entirely on
your nature of operations. Some are formal and written, others are
informal and verbal. For example, the cybercafe that disallows the use
of diskettes is implementing its own policy. Who implements this policy?
How do you ensure policy effectiveness?
The security policy needs processes and people (organization) to ensure its implementation and accordance with business needs.
Let us look at typical security processes that secure computing.
Every organization must have a form of Security Helpdesk. This is a place where user management is often available. Who can users call when they have problems? Where can they go where they have problems? Usually, if the helpdesk cannot resolve a problem, it is also responsible for escalating it to the next level, for example to vendors, system administrators, or IT security professionals. Helpdesk also tracks the progress of problem resolution. What if a password needs to be changed? Can this be done over the phone? Are you sure that it is the authorized user that is asking for the modification? Are you sure it isn't Online Identity fraud? Some kind of "authentication" is required. Can you call the user back to confirm? Or ask some questions which only the user can answer?
Change Management is another important security process. How are changes made to your hardware and software infrastructure? What are the procedures for installing or upgrading hardware and software? Is there a testing process before new software is introduced into the "live" system. Are there exceptions to the rule? We must always appreciate the need to balance security concerns and business needs. Measures and processes should never be such that because of the "almighty" security measures, the business can't even function.
The essence of change management is to ensure that
changes are carefully prepared and carried out in a way that business
activities are not disrupted. It is best to follow the rules KISS (Keep
It Simple, Stupid) and "if it isn't broken, don't fix it". Is
it really necessary to take the risk of installing updates that can only
give you minimal benefits? Sometimes, you can get too carried away with
having the "latest" technology. The result may be wasting time and
effort battling with the "latest" bugs. New
technology brings new solutions as well as new headaches. Be sure that
new software won't give you avoidable nightmares.
An important security process is Systems monitoring.
How do you monitor your systems? Where and with what do you monitor your
systems? Who is responsible? How do you know what is going on?
Data management, i.e., regular backup and
restoring of data is a security process required by all organizations.
Unfortunately quite a few people backup simply as a matter of routine.
To some, the purpose behind the backup may not be clear. "We have to
backup, so we backup". Backup is tied with recovery of data. There is
no point or sense in backing up if the backed up data cannot be useful
in data recovery. Is the backup complete? Is relevant and critical data
being backed up? To make any meaning, recovery procedures must be
regularly tested. If you are serious with computer security, at any
level, even if it is just personal files on your diskette, you cannot
afford to toy with backup and restore.
System audits are also processes that are
needed for IT security. IT infrastructure, servers, operating systems,
databases, files, should be audited regularly. There should be an audit checklist for all critical
infrastructure. Systems audit can only work where there is REAL
"separation of powers" - the auditor needs to be independent of
the administration and be objective. Meaningful audits should check:
Guidelines, Policies, Documentation, Systems staff, Users, Management,
IT Security personnel, Administrators and IT Resources. Systems audit
examines each of these areas to determine the areas of strength and
weaknesses and what actions need to be taken for effective IT security.
Such audits are usually carried out by individuals/organizations with competency
in IT security.
Such audits are usually carried out by individuals/organizations with competency in IT security.
Note that an audit is meaningless if no concrete action is taken on its recommendations.
Finally, there must be processes for managing crisis and disasters. Nobody prays for disaster, but according to Murphy's Law, if anything can go wrong it will go wrong. IT infrastructures that you use to run your business and provide service to customers can fail. You need to plan not only to avoid disaster but also for what you should do if a disaster occurs. What do you do when the only service your service provider is providing is stories and excuses? What is your fallback?
I have looked at security processes that can help your level of computer security. How you incorporate the processes into your business or activities is entirely up to you. It doesn't matter how much you spend on security, if you don't get the processes right, then you still have a problem. Sometimes to save time and money, we forget the basics. It won't work. Processes will determine the effectiveness of information security policies and standards.
Life is full of risks. Using computers add to the risks. The convenience associated with IT increases the need for security. Security processes are part of the strategy you should use to reduce the risk of IT to an acceptable level. Getting the processes right should allow you to adopt a proactive approach to securing applications and infrastructure.
It's about making IT
security a top priority with regard to your IT strategy,
internal policies, business activities and processes.
One final thought on IT security: Who should be more careful? The gatekeeper or the owner of the house?
wish you safe computing!
For more IT
Security Resources, click
Do you Have to Say? Post
Your Comments about this Content Resource Here.
DISRUPT THE STATUS QUO!
Ideas are not enough. You must be action oriented to improve your future.
Don't just think but act. You get results not only from thinking but from acting.
You have ideas. You want to achieve. You want opportunity.
But what are you still doing in your comfort zone? The comfort zone is a dangerous place.
"I wanted to", "I was going to" cannot put on a light bulb, not to talk of moving you forward.
Aren't you tired of hoping and criticizing? Stop defending status quo that locks you down.
GO on the offensive now with IT Education and Empowerment.
What is the use of ideas without action?
Start becoming the achiever you deserve to be.
MAKE SURE THERE IS NO STANDING ROOM FOR EXCUSES.