Even as the corporate world keeps discovering and inventing new benefits of a
networked world, threats to their networks too, are attaining new dimensions.
Very much like the real world crimes — where criminals always seem to be one
step ahead of the police — attackers, hackers and intruders are constantly
developing new and complex techniques to outsmart the best security systems.
Moreover, if they are not the highly motivated and armed-to-the-teeth kind of
attackers, organizations are also most likely to be hit by attacks from within.
Network security threats have certainly assumed new proportions with the fast
emerging centrality of the Internet as a source of communication. And the
Internet, we all know, is a network of networks, connecting millions of
anonymous users all over the world, making it more vulnerable than any other
form of computer network. All this means that corporate networks are always at
risk.
Common Network Security Objectives |
|
So what does one do in these circumstances? Should one look for a perfect
security? It is better to realize here as Neel Ratan of PricewaterhouseCooper,
India’s global risk management solutions puts it, information security is a
risk and like most risks, it cannot be eliminated but can be mitigated. So, if
perfect security is a mirage what should one do? The solution lies not in trying
to eliminate the risk but in managing it effectively and placing an adequate
security mechanism. But how does one manage risk effectively or define adequate
security and then design, implement and manage it?
To
begin with, organizations must do away with the belief that deployment of
powerful technological paraphernalia is a guarantee against any of the security
threats, be it viruses, hacker attacks or network intrusions. Technological
controls are usually ineffective in the absence of a proper security management
and monitoring policy.
The first step towards achieving adequate security goals should be the
assessment of an organization’s security mechanism and its performance in the
existing security environment. Primarily a management functions, the assessment
should then form the basis of the next step — a comprehensive documented
security policy. The policy should not only assess the present and future risks
but also determine the needs of the organization. It should also determine the
management and monitoring principles that the organization would be following in
order to maintain an adequate security. The policy itself could contain the
details of the technological tools that the organization would require. Here, it
must be remembered that the policy should be a dynamic one with an in-built
flexibility, so that changes are incorporated whenever necessary.
Security Best Practices |
Look at your network in totality—look at your risk profile
Neel Ratan, global risk management solutions, PricewaterhouseCoopers, India. |
While
deciding on the security policy, the assessment of risks and needs must take
into account the fact that the two are not common across the spectrum. The
security needs of different kinds of network would be different. In other words,
an e-business portal would have an entirely different set of risks and security
needs as compared to a raw material supplier who is connected to its buyer
through a private network. A security policy should not only be linked to
threats but also to business risks specific to the organization’s industry or
area of operation.
Among other things, a well-documented security policy has two prime benefits.
First, it brings focus into the security practices of an organization, making it
easier for it to know and do what it needs to do, in terms of management,
implementation and monitoring. Second, it helps the company to avoid expenditure
on unnecessary security boxes and solutions.
Here, it is important to distinguish between policy and guidelines. While the
policy should outline the fundamental requirements that the senior management
considers imperative, guidelines should provide the more detailed rules for
implementing the broader policies. Guidelines can also be designed as an
educational tool that could help the employees understand and follow the desired
security practices. Employees need to be educated effectively because, in most
cases, it is the human being that is the weakest link in the security chain. An
employee could sometimes be as strong a security threat as the most motivated of
the attackers.
Key Elements of Security Policy |
|
Educating and training the management and employees on the security risks and
control is imperative for the success of any security policy. Also important is
involving business managers in risk assessment. Involving business managers in
identifying potential threats, vulnerabilities and also consequent impact on
business operations, could help them better understand the imperatives of
security. This is important, given the fact that a business manager is in a
better position to know which information or data is sensitive and needs to be
protected.
A security policy can only be effective when it is linked to a cycle of
activities, so that the network security risks are identified and addressed on
an ongoing basis. The effectiveness of the policy and the risk control
mechanisms should be monitored regularly through various analysis, evaluations
and audits to determine if the existing policy or security mechanism needs to be
modified or updated. External third party audits should be regularly carried out
to get an independent assessment of security.
Set Your Priorities |
SV Ramana, country system engineering manager, Cisco Systems. |
When securing a network, the most important thing an organization should have
in mind is that prevention, as they say, is the best cure. So a proactive
approach to security that focuses on prevention and detection before any breach,
should be the goal. After all, if security costs money and time, the loss on
account of inadequate response to threats and risks could mean irreparable
financial loss, but also a damage to organizational reputation, credibility and
trust.
Security is a Continuous Process: Keep Checking the System |
Swapan Johari, business head, emerging solutions and services, HCL Comnet |