Processes that Secure computing - it security policy, security processes, Information System Security and Audit, security threats, change management, it security policy, Information System Security and Audit, security threats, change management, security policy, security processes, data management, backup, restore, contingency planning, security, security news, virus news, access control, audit trail, antivirus, virus, security products, security tips, authentication, computer security file, system encryption, intrusion detection, microsoft security, password, password crackers, permissions, firewalls, cryptography, vulnerabilities, system policies

Processes that Secure Computing

All the benefits of information technology can disappear in an instant if your systems are not secure. Even though Computers have revolutionized how businesses are run, we all know that security threats are now a fact of life.

The level of dependence on IT increases rapidly each day. But as dependence increases so does the associated risk. The threats have multiplied as well. Now your system can be infected not only from the stray games diskette but also from computers anywhere on the globe. If you want to benefit from your IT investment, you need to secure your information infrastructure. Start by practicing safe computing. Continuity of operations and correct functioning of information systems is critical to businesses. Threats to computerized information and process are threats to business quality and effectiveness – corporate survival is at stake!

Computer Security is the responsibility of everybody who has access to computers and computing facilities. Everybody, not just system auditors or systems professionals, need to be well informed about practical computer security. You must be able to know what is safe computing and what is not. One of the ways of doing that is by identifying the processes that secure computing.

The objective of IT security is to put measures in place, which eliminate or reduce significant threats to an acceptable level. Security measures must be implemented to protect data, software, and hardware against accidental or deliberate loss, disclosure, or corruption. To address security threats such as hackers, worms and viruses, as well as vulnerabilities/software flaws that compromise computers, networks and intranets.

There is a need for measures but measures are not processes. Good security will not just drop down from the heavens. All concerned must understand their responsibilities. This is why there is a need for an explicit statement of policy. The security policy must be reinforced with regular training and communications designed to foster awareness of security issues, as well as a working atmosphere in which good security is desired and routinely achieved. Awareness of the stakeholders is essential for the effectiveness of any form of security.

The type of security policy you use depends entirely on your nature of operations. Some are formal and written, others are informal and verbal. For example, the cybercafe that disallows the use of diskettes is implementing its own policy. Who implements this policy? How do you ensure policy effectiveness?

The security policy needs processes and people (organization) to ensure its implementation and accordance with business needs.

Let us look at typical security processes that secure computing.

Every organization must have a form of Security Helpdesk. This is a place where user management is often available. Who can users call when they have problems? Where can they go where they have problems? Usually, if the helpdesk cannot resolve a problem, it is also responsible for escalating it to the next level, for example to vendors, system administrators, or IT security professionals. Helpdesk also tracks the progress of problem resolution. What if a password needs to be changed? Can this be done over the phone? Are you sure that it is the authorized user that is asking for the modification? Are you sure it isn't Online Identity fraud? Some kind of "authentication" is required. Can you call the user back to confirm? Or ask some questions which only the user can answer?

Change Management is another important security process. How are changes made to your hardware and software infrastructure? What are the procedures for installing or upgrading hardware and software? Is there a testing process before new software is introduced into the “live” system. Are there exceptions to the rule? We must always appreciate the need to balance security concerns and business needs. Measures and processes should never be such that because of the “almighty” security measures, the business can’t even function.

The essence of change management is to ensure that changes are carefully prepared and carried out in a way that business activities are not disrupted. It is best to follow the rules KISS (Keep It Simple, Stupid) and "if it isn't broken, don't fix it". Is it really necessary to take the risk of installing updates that can only give you minimal benefits? Sometimes, you can get too carried away with having the “latest” technology. The result may be wasting time and effort battling with the “latest” bugs. New technology brings new solutions as well as new headaches. Be sure that new software won’t give you avoidable nightmares.

An important security process is Systems monitoring. How do you monitor your systems? Where and with what do you monitor your systems? Who is responsible? How do you know what is going on?

Data management, i.e., regular backup and restoring of data is a security process required by all organizations. Unfortunately quite a few people backup simply as a matter of routine. To some, the purpose behind the backup may not be clear. “We have to backup, so we backup”. Backup is tied with recovery of data. There is no point or sense in backing up if the backed up data cannot be useful in data recovery. Is the backup complete? Is relevant and critical data being backed up? To make any meaning, recovery procedures must be regularly tested. If you are serious with computer security, at any level, even if it is just personal files on your diskette, you cannot afford to toy with backup and restore.

System audits are also processes that are needed for IT security. IT infrastructure, servers, operating systems, databases, files, should be audited regularly. There should be an audit checklist for all critical infrastructure. Systems audit can only work where there is REAL “separation of powers” – the auditor needs to be independent of the administration and be objective. Meaningful audits should check: Guidelines, Policies, Documentation, Systems staff, Users, Management, IT Security personnel, Administrators and IT Resources. Systems audit examines each of these areas to determine the areas of strength and weaknesses and what actions need to be taken for effective IT security. Such audits are usually carried out by individuals/organizations with competency in IT security.

Note that an audit is meaningless if no concrete action is taken on its recommendations.

Finally, there must be processes for managing crisis and disasters. Nobody prays for disaster, but according to Murphy’s Law, if anything can go wrong it will go wrong. IT infrastructures that you use to run your business and provide service to customers can fail. You need to plan not only to avoid disaster but also for what you should do if a disaster occurs. What do you do when the only service your service provider is providing is stories and excuses? What is your fallback?

I have looked at security processes that can help your level of computer security. How you incorporate the processes into your business or activities is entirely up to you. It doesn’t matter how much you spend on security, if you don’t get the processes right, then you still have a problem. Sometimes to save time and money, we forget the basics. It won’t work. Processes will determine the effectiveness of information security policies and standards.

Life is full of risks. Using computers add to the risks. The convenience associated with IT increases the need for security. Security processes are part of the strategy you should use to reduce the risk of IT to an acceptable level. Getting the processes right should allow you to adopt a proactive approach to securing applications and infrastructure.

It’s about making IT security a top priority with regard to your IT strategy, internal policies, business activities and processes.

One final thought on IT security: Who should be more careful? The gatekeeper or the owner of the house?

I wish you safe computing!

Jide Awe

Publisher, Jidaw.com

For more IT Security Resources, click here:

http://www.jidaw.com/itsolutions/security3.html

Page Top

HOME	ABOUT US	COMMENTS	CONTACT US	BOOK SALES
HELP	E-LEARNING	CERTIFICATION	TRAINING	PREVIOUS JOBS
	PRIVACY	DISCLAIMER	SITEMAP

Get IT Updates, Tips, Career guides in your FREE Newsletter. Plus regular news on Nigeria's IT &Telecoms