Skip to main contentSkip to menu

THE POSSIBILITIES ARE INFINITE

  1. Home >
  2. News >
  3. Publications >
  4. Articles >
  5. Ten Steps to Security
Main contents start here

Reprinted from "Strategy for Business", Issue 6, Spring 2001 with permission from ICL, PLC. Author: Tom Parker, an ICL fellow emeritus, IT Systems Architect.

Ten Steps to Security

Disaffected employees, criminals and hackers see computer systems as just another "business" opportunity. A four year old can download hacking tools and play at breaking your systems. Is it any wonder that the e-Business environment is a fraudster's paradise?

Here are ten steps to help make your systems secure:

  1. First, decide why you want it.
    It seems obvious - to protect your valuable assets, but there may be other reasons. Will it enhance your business image? Security is a positive selling point in many business sectors. Are you legally obliged to apply due diligence to keeping the data under your protection secure.

    Your systems may handle other people's money, with all of the legal constraints that imposes. Is it an enabler for new business? Without security there are many new e-Business paradigms that simply cannot be exercised.
  2. Then work out what you want to achieve.
    You must do at least a basic risk analysis. Its cost will be amply repaid. Think of it as the only way of making sure you only spend your security budget on what is needed for what needs it.
  3. But don't play at it.
    Plan it thoroughly, get board level backing, put the right security management structure in place. Don't use a non-IT security person as your IT security manager. Resource it properly - and this can mean significant ongoing security maintenance costs as well as the initial outlay. Resist DIY website security - you will almost certainly need professional web-server security products.

    Finally, if you haven't got it in house, you must get expert help. Remember attackers need only to be expert in the areas they attack. You need to match that expertise in all possible areas of attack. Don't be afraid to ask your suppliers for free advice on how to best deploy their products - it's in their interest that you get it right.
  4. Do what you need to do, not what is trendy.
    Don't say: "Public Key Infrastructure seems to be the thing these days, I'll have some of that." But do say: "I don't necessarily need any high tech, if new admin procedures will do the job, then that's what I'll use." Don't be afraid to use high tech solutions like cryptography if it is really needed, but make sure that you do not buy solutions that are looking for problems. Don't just think about hackers, they get the most publicity but the main threat is usually from inside - the cheapest security measure is to keep your staff happy.
  5. Write down how you are going to do it.
    The traditional wisdom is: write a security policy, and document your security standards and security procedures. Think about who will be reading these documents and what you want them to do as a result of reading them.
  6. Convince your people.
    Sell your solution to those who will need to live with it. With a strong security culture you're half way there.
  7. Fix known bugs.
    Most systems are vulnerable simply because their patch state is not up-to-date. Keep track of new security flaws as they are detected and fix your systems with the patches your vendors make available to you. Viruses and worms are an increasing and expensive problem. If you use detection technology, and you nearly always should, keep its signature files up-to-date. Institute a process to make sure your staff keep their virus checkers up-to-date.
  8. Keep a watch out.
    Keep audit trails and make sure you look at them. Try to be proactive in your analysis, not just reactive. Consider using Intrusion Detection technology. This advanced technology has recently come of age. It has moved out of the research labs into regular deployment and for the first time is proving its worth.
  9. Test it.
    It is crucial that you test your security solution. Attack your own system in the same way as attackers might. Think like the enemy. There are dozens of free attack tools available on the Internet - use some of them, your attackers certainly will. And deploy commercial security state analyzers.
  10. Maintain it.
    Configurations change, threats change, applications come and go. Don't think that you can build a secure system then forget it, you have to make sure you keep your defenses on the ball. The commonest security breaches are due to poor management. Security management is as important to get right as run-time security.

    If you can follow these steps, the security you deploy will be focused on the right targets and will also be tailored so it closely matches your needs. There is no such thing as perfect security. Indeed, you should not even aim for 100% security because it is too expensive to justify. But by following the ten steps that are outlined above, you can be confident that the security you have in place will be delivering exactly what you think it is delivering. That's the best you can expect, and it is all that you need.


Top of Page

Related menu starts here

Main menu starts here
End of the page