The issues concerning Internet security are of increasing concern to organisations of all shapes and sizes. With so much information about security attacks and the ramifications of such attacks, it is easy to lose sight of why we need to support our organisations, our data and our employees.
All too often the impetus to protect is driven by 'scare stories' and the pressure to focus on prevention. At Keltec, we believe the real issues regarding security are about enabling organisations to move forward and to confidently communicate within a protected environment.
Stories of security breaches, whether they are external or inside jobs, have been well documented. Corporations are increasingly being made aware that they are liable for their employees' actions, even if they are unaware of any breach of law. Products such as firewalls, virus checkers and Internet management systems have given us the ability to protect, but the issue of security is about much more than just protection.
Setting the correct security policy is key. Through defining what is valid and what is not: what users can and can't do; what they can and can't view; what they can and can't send and receive, a framework is in place that determines the correct methodology. The emphasis should clearly be on enablement, the implementation of an effective security policy is the springboard for ensuring effective and protected working environments.
It doesn't matter how good the technology is, if the policy and supporting services are incorrect an organisation's security solution runs the risk of being ineffectual.
Setting a security policy
Your first step is to talk to a specialist. It is easy to underestimate the skills required to ensure that your organisation is secure so involve a security specialist at an early stage.
With a number of companies offering various solutions to security issues, it is important to select a company that has a developed portfolio. Choose an organisation that can help you to project-manage your security solution, guide you through the process of determining your security policy, implement the technology and support the solution. With a project as critical as security you will need to work in partnership with a company that has a proven track record and which in turn works with the industry's leading technology partners.
Stage two of implementing a security policy is requirements analysis. It may be stating the obvious, but the initial stage of forming a policy document is to understand the business requirements within your particular environment.
Additionally, there may be requirements from external sources to access your data. The structure and business practices of your organisation will shape the policy process. Whether you are in a single office, multi-office or remote user environment, your organisation's security policy needs to reflect the way that you work. Ensure that there is a common understanding of what employees and partners are using Web access for, what data they need access to, how they need to distribute information and what documents and reports are created during this process.
The definition of what is valid and what is not will determine the framework of the policy. At this stage your supplier will be able to determine some of the technology requirements to meet your needs: firewalls, email encryption, authentication, virus-checking, anti-spamming and Intrusion detection, for example.
There is no such thing as the perfect policy. As the requirements analysis determines, all policies are specific to the individual businesses concerned. All policies should, however, cover the following basics:
- Protecting employees Attention must be given to the dangers of the accessing the Web. Employees and organisations alike need to be protected from being liable for any material viewed or downloaded.
- Usage and content control A statement that communicates the company's right to validate, monitor and log Web access/usage.
- Bandwidth control Industry figures suggest that over 30% of Web access is non-business related. This has a direct impact on the bandwidth available to your organisation for critical operations and data.
- Reporting Defining what areas of your organisation needs which data and when.
- Review scheduling Areas where an organisation is susceptible to malicious attacks or unauthorised access are not static. Your security policy is a 'living document'. By regularly reviewing your security you can ensure that it is continually protecting your organisation. Additionally, your organisational needs will change; there will be staff churn, your offices may expand, or you may increase the number of remote users or there may be strategic developments such as merger or acquisition. All of these eventualities will require changes to the policy.
- Communicate and enforce A security solution will only be effective if employees are informed and educated. In short, an organisation's security policy should be integrated with the company culture. In addition the policy should be reflected in the company handbook and be a part of any employee induction process.
- Test, monitor, support and update Once the policy has been created and agreed the supporting technology will need to be put in place. Installing and managing the technology internally is one option, but it is becoming increasingly common for organisations to look into a managed service solution. Once the solution is in, penetration tests will need to be carried out to ensure protection has been achieved.
An effective security policy requires constant monitoring. The development of technology (and counter technology) and the change in business practices will both determine the need to review your security. It is easy to be lulled into the belief that once the security policy and solution have been defined and delivered then the organisation will be safe. Without these reviews the capacity to enable effective working and protection will deteriorate.
Implementing a correct security policy and its subsequent solution is an asset to any organisation. Much like a traffic light system it will control the flow of data, keeping the organisation moving in the correct direction.
Michael Wheeler is marketing manager at Keltec Ltd. Keltec is a leading provider of high quality, integrated, e-business infrastructure and enterprise IT solutions, utilising best-of-breed products and services
For more information, visit www.keltec.co.uk/security.htm