For a successful security solution, you must understand your system's vulnerabilities and enforce enterprise-wide security policies. A few dos and don'ts that help you implement the right security initiative.

Is my IS (information system) infrastructure vulnerable to external attacks? How do I know what the risks to my business are? How do I protect my company's vital information resources from hackers, competitors and unauthorized internal users? Do I have the right internal controls in place? Are my employees accessing resources that they shouldn't be?

These are some questions that haunt most CIOS (chief information officers), whose primary goal is to allow uninterrupted, secure IS access to authorized personnel and keep intruders at bay. While almost all companies understand the importance of IS security, they are seldom aware of what it takes to succeed in their security missions.

Security tools and applications are readily available. But organizations face big hurdles in implementing the right security initiative.

Organizing security

Once its overall strategy is in place, an organization should set up an internal security department responsible for its implementation. This management framework, with roles and responsibilities clearly defined through the different phases of the security lifecycle, should have the active involvement of top management, operations head, and information system chief and his team.

Given the complex nature of security initiatives, organizations should clearly identify responsibilities and build accountability at all levels.

In doing this, they could choose to take:

• A technology-based approach, and implement network, operating systems, applications and database security roles, or
• A business approach, wherein each business function has defined security roles.

In addition, external security specialists could add value on a project or retainer basis.

Analyzing security requirements

The first task for the security department is to develop a model that forms the launching pad for the organization's security project lifecycle. The model should determine the boundary within the organizational parameters of acceptable behavior and technology usage, and portray a security road map with clearly defined milestones.

The question that any organization should ask itself at this stage is: "How do I establish my security requirements?" In answering this question, one realizes that risk assessment is a logical starting point to the security lifecycle. It involves:

• Vulnerability assessment: It calls for identification of vulnerabilities or weak points in a business set-up. Vulnerability fixing involves steps like disabling non-required services and ports on network devices, and changing configurations of operating systems.

  Vulnerability assessment is carried out at two levels: tool-based scanning of the network, systems and application elements; and penetration testing, a live test of the effectiveness of security defenses by mimicking actions of real life attackers. These should be performed using the latest hacking tools and expertise.

• Threat identification: Identification of all possible applicable threats to an organization in a given business environment.
• Impact assessment: Assessment of potential impact of loss of confidentiality, integrity or availability of information sources on the business, taking into consideration existing control and backup mechanisms in place.
• Likelihood assessment: Estimating the likelihood of a security breach given the vulnerabilities found and the controls already in place.

A gap analysis is then undertaken, which involves estimating the deviation from the set of standards that a firm requires to support its core business functions. This should be performed for each line of business or revenue stream.

Formulating the policy a security policy is created in line with an organization's business objectives and its security requirements. The policy document defines the set of controls that the organization opts for in order to achieve its security vision.

Firms should ensure that their security policy complies with globally-accepted standards, and regulatory and legal guidelines.

The organization should also ensure that its security policy complies with globally accepted standards, and regulatory and legal guidelines.

Some policies can be implemented using security processes and work-flows, such as incident handling processes, information classification and handling, authorization processes, backup and recovery processes, logging and auditing processes, and change processes.

For other security policies, an implementation of technical components is required. Security architecture design would involve the identification of network systems and application components, followed by product evaluations based on technology and business requirements.

CIOs need to understand that security is not a point function; it is an ongoing process. New vulnerabilities are discovered on an almost daily basis. They must keep track of the latest vulnerabilities and take adequate protective measures to ensure that their security baseline is maintained.