I recently read an article in Network Word entitled "The 7 best practices for network security in 2007" written by Gary Miliefsky, who founded NetClarity and was involved in the founding of the U.S. Department of Homeland Security.
He breaks network security into 7 basic Steps:
1) Roll out corporate security policies
2) Deliver corporate security awareness and training
3) Run frequent information security self-assessments
4) Perform regulatory compliance self-assessments
5) Deploy corporate-wide encryption
6) Value, protect, track and manage all corporate assets
7) Test business continuity and disaster recovery planning
I'm going to spend my next few posts and discuss each of these aspects of security, beginning with the first step, Roll Out Corporate Security Policies, in this post.
In his article, Gary lays the foundation of network security by discussing security policies. Several industry-accepted standards can be used as a basis for establishing company security policies:
- IT Infrastructure Library (ITIL)
- Control Objectives for Information and related Technology (COBIT)
- ISO 17799
Additionally, often I find organizations are willing to adhere to regulatory standards established for the US government, such as Federal Information Security Management Act (FISMA), now merged with the FIPS 200 standard.
The key to these standards is to remember that none of them are technology-specific, vendor-specific, solution-specific or implementation-specific; they are guidelines to establishing a secure infrastructure and are open to some interpretation.
I unfortunately can say that I have actually read each and every word of those standards (to figure out where ScriptLogic's solutions fit) and can tell you that they all boil down to a few key issues you need to address:
- Assessment - determine the current state of security
- Assignment - establish standards for implementing security consistently
- Auditing - validate security controls and testing access
- Accountability - establish processes that utilize justifications and approvals
- Availability - build a business continutiy and/or disaster recovery plan
- Assurance - maintain an environment not prone to outside influence via malicious code
The combination of these basic concepts makes up ScriptLogic's Security Lifecycle Map which we use to denote where our solutions fit in the security "big picture."
0 comments:
Post a Comment