How to implement IT security?

January 9, 2009 — IT Security With Kratu

A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business.

That company is still totally vulnerable.

Individuals may follow every best-security practice recommended by the experts, slavishly install every recommended security product, and be thoroughly vigilant about proper system configuration and applying security patches.

Those individuals are still completely vulnerable.

Extract from Kevin Mitnick’s “The Art of Deception” book.

The single weakest link in the entire security of an organization or individual is the Human Factor. IT Security is not about technology, it is the process implemented through awareness. You will not know when an enemy strikes; you will know only when the enemy strikes.

How to implement IT security? This question is really hard to answer for any one or for any organization. The main reason there is no single solution that fits every one. Perhaps there are multiple solutions that fit a single solution. The best way to implement IT Security is to assess own need and requirement, then after careful consideration consider a standard frame work that best suits your need. For example for PCI DSS (Processing Card Industry Data Security Standards for credit card and related organizations, HIPAA (Health Insurance Portability and Accountability Act) is for health care industry and for telecommunications there is a standard within the ISO 27000 series. Some of them are standards and some of them are acts. An act is mandatory to follow by the respective organization based on local law and a standard is merely a guide line to be followed. At any given point of time an organization may need to implement more than one act to comply with the local regulations.

All these frame works (or acts) only tell you “How one can implement IT security based on certain guidelines, and how you can come up with certain management policies for your own IT security?” Not which technology or tool(s) that you need to use for a specific scenario. Let us take a very basic need – antimalware – these guidelines or frame work will tell you that what kind of standards the antimalware program should meet, but does not mention about a specific vendor or an application to choose from a list.

One need to be aware of the present day technology, risks, advantages and limitations associated with each technology and methodology. So to conclude one needs to carefully study the requirements of any organization before trying to implement a particular security solution.

What an individual needs to consider to ‘Be secure, Be Happy’?

I can suggest a few guidelines:

  • Never give out any information that may identify you or your family or your back ground to someone that you do not know
  • Discuss about the related concerns with your family and friends. Tell them to be alert of any suspicious behavior or unusual activity
  • Try to memorize your credit card pins and internet login passwords, never write them and place them any ware, except in a safe place
  • If you are filling up a form at any place, and if they ask you for your DOB, or SSN or any ID no, ask questions. Why do you need this info? How do you store these forms? If you feel uncomfortable about the safety of those records, then do not share the information.

Some guidelines on how to use your computer and how to be when you are on online:

  • Always use encryption to store and transfer your important information
  • Always update all the applications to the latest path level with automatic updates
  • Use good antivirus, antispyware and firewall and stay up to date on virus definitions
  • Apart from regular scanning of for malware of your computer, I would recommend you to use online free scanners once in a week or two.
  • If you are suspicious of a file, then you can use multiple antivirus scan engines by uploading the same file to a site
  • Never open attachments if you do not know from whom you got
  • Never follow a web site link if you received from unknown source
  • Stay away from Peer to Peer file sharing, unless you trust them
  • Do not enter any personal information unless you double check the site address of your financial institution. Now-a-days most browsers tell you the authenticity of the site you are visiting.
  • If someone is asking your personal or financial information either over email or over phone, never reveal. Your financial institute would never ask you such information over the phone.
  • Always disconnect your computer from internet if you are not using Internet, and shutdown if you are not using to ‘Be Green’

Please remember that these are only guidelines, you still need to consider so many other factors based on your situation and your life style.

Most importantly be vigilant about what you do all the time until it becomes your way of life. You need to be careful sometimes even with the one you know the most. There is lot more one needs to learn, if you feel that something fits here, please feel free to comment or email me Kratu@G.Ho.St.

Apart from the above I would like to give you some of the highlights from ISO 27000 Complaint framework that any organization need to consider in implementing IT security.

  • Risk Analysis – objectives, roles, responsibilities, program requirements, and practices program elements
  • Staff Member Roles – policies, responsibilities and practices
  • Physical Security  – area classifications, access controls, and access authority
  • Facility Design, Construction and Operational Considerations – requirements for both central and remote access points
  • Media and Documentation – requirements and responsibilities
  • Data and Software Security – definitions, classification, rights, access control, INTERNET, INTRANET, logging, audit trails, compliance, and violation reporting and follow-up
  • Network Security – vulnerabilities, exploitation techniques, resource protection, responsibilities, encryption, and contingency planning
  • Internet and Information Technology contingency Planning – responsibilities and documentation requirements
  • Travel and Off-Site Meetings - specifics of what to do and not do to maximize security
  • Insurance – objectives, responsibilities and requirements
  • Outsourced Services – responsibilities for both the enterprise and the service providers
  • Waiver Procedures – process to waive security guidelines and policies,
  • Incident Reporting Procedures – process to follow when security violations occur
  • Access Control Guidelines – responsibilities and how to issue and manage badges passwords

 

Have Fun!

PS: At present I am working on other related posts. Once I am done I will update this post with appropriate links for solutions.

Posted in IT Security for Everyone. 3 Comments »

3 Responses to “How to implement IT security?”

  1. What is IT Security? « IT Security with Kratu Says:
    January 11, 2009 at 6:57 AM

    [...] How to implement IT security? [...]

  2. websiteverification Says:
    January 14, 2009 at 5:00 AM

    Great article. I appreciate you mentioning PCI compliance. This is so important for online businesses as well. Thanks for the post.


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«

»
Follow

Get every new post delivered to your Inbox.