PCQuest : ITstrategy : Security the next step

Security the next step

Continued from page: 1

Tuesday, August 14, 2007

Identify solutions to deploy
It's not just about anti-virus and firewalls anymore when it comes to security solutions. Today, there's a whole range to choose from-IDS/IPS, e-mail security, UTM, storage encryption, SSL VPN, information security, network access control and e-mail archival. Out of all these, UTM solution was on top of the list for most of our respondnets. More than 60% of the CIOs said that they were planning to deploy unified threat management in the near future. A unified threat management device, as the name suggests, can perform multiple functions. So you can have a single device that combats multiple security threats.

E-mail security was the next in line, but this goes beyond basic anti-spam. Today, a number of email security solutions are available. These include email security appliances to combat spam, email archival solutions to ensure compliance, and email encryption solutions for ensuring secure communication. Many CIOs we interacted with had plans to deploy an e-mail archival or encryption solution.

Other security solutions that are hot include storage encryption solutions and SSL VPNs. This doesn't mean that these are the only solutions available. It means that there are high chances that you would already have deployed the regular solutions like firewalls, gateway anti-virus, and IDS/IPS. At least a majority of our respondents already had these in place. To our surprise, a majority of our respondents had already information security and network access control solutions. No wonder then that they witnesses a decrease in the number of data thefts.

A proactive approach to compliance
In addition our interactions with CIOs, we also had a last minute interaction with a compliance expert from the Information Security Forum. It's a non-profit organization that has around 300 members from fortune 500 companies. The compliance expert made a very relevant point. She said that the biggest trouble with most organizations is that they react to each regulatory audit that comes up. They follow a consistent process for complying to an information security framework. So, they need to follow a more proactive approach towards compliance to standards. The ISF itself can help companies comply to information security standards, and there are other widely accepted standards like BS7799 and ISO 127001 that can be adopted. Plus, one of their works is a document called the Standard of Good practice. This basically looks at helping organizations assess their information security setups. The document is freely downloadable from ISF's website at www.isfsecuritystandard.com. In case of compliance, the guiding principle is to follow a proactive approach rather than a reactive one.

Incidentally, another area that poses a serious security threat is user rights management. When a user joins an organization, he/she is granted certain access rights to IT resources. Over a period of time, the user's access rights are bound to change. This could be because the user has been promoted, shifted to a different department or transferred to a different location. It's nothing new and happens in every organization, but does your IT department also change the user's access rights to IT resources with a change in profile? Chances are that the user still has access to a lot of resources that have been carried over from previous work profiles. So review user access rights regularly to avoid security problems later. More importantly, you need to do it at regular intervals. One alarming revelation in strict contrast to this advice was that nearly 50% of our respondents had no fixed timelines to review their users' access rights.

Keep a set of access policies handy
The last word in policies is to ensure that you must keep a broad set of guidelines for users in your organization on Internet usage, email manners, network access, etc. Half of the security problems in an organization can be reduced through these. In fact, we asked an open ended question to CIOs about recalling an action they've done in security that has done wonders. A majority of them answered with security policies. For instance, one of the respondents had set policies for web surfing and even limited free IM access to a limited number of people. Another respondent got his company's security policies drafted by an outside agency. There were some who had blocked USB ports on desktops, created network access policies for visitors, blocked access to outside sites, and took disciplinary action against defaulters of policies.

Inhouse or outsourced security mgmt?
This has always remained a sensitive question, because very few people want to risk outsourcing security management to a third party. But actually, there are parts that can be outsourced. For instance, there are companies that can do regular audits of your network or online portal and give you detailed reports of the same. This might be more feasible than keeping an internal security expert for it.

Page(s) 1 2




	Best Practices in IT Team Management
	The Recipe for a-Successful IT Project
	Conquering the Challenges of Managing a Data Center
	Pave your Way to Unified Communications

Untitled 1

Does your business have Green Intelligence

What is SDSIASWODB?

No.1 Linux platform for SAP Applications

Magazine Subscription | RQS | Contact Us | Team PCQuest

	Other CyberMedia web sites [Dataquest] [Voice&Data] [CIOL] [Living Digital] [IDC India] [DQ Channels] [the DQweek] [CyberMedia India] [Cybermedia Careers] [CyberMedia Events] [Cybermedia Digital] [CyberAstro] [Global Services Media] [BioSpectrum] [BioSpectrum Asia] [Computer Shopper] [College Buying Guide] [Voice&DataConnect]