Too often, midsize companies focus strictly on technology, but neglect other steps necessary to manage the IT environment through a crisis. If you take the time to understand business processes, procedures, and workflow, you will be in a better position to provide the IT security that your organization needs.
 | An organization must know where data is kept, how employees store information, and how it is exchanged internally and externally. |  | | Michael Cobb
managing director
Cobweb Applications Ltd., Surrey, England, and Microsoft MVP | |
|
In Summary:| • | Conduct a thorough assessment of business assets, processes, workflows, and job functions. | | • | Prioritize assets and match security solutions and policies to risk levels. | | • | Seek input from individuals across the enterprise, and develop a common vision and approach. |
Just as security threats differ from organization to organization, so do strategies. A company that does all of its business online or has a high percentage of mobile workers will have different security needs than a retail chain, for example. Company culture may also dictate how you implement security solutions. A thorough upfront analysis — one that conforms to your business plan — can help build a foundation for an effective and cost-efficient security strategy. Your needs, of course, will depend upon your particular business. The loss of important e-mail messages could endanger a law firm's work and undermine client relationships, for example; for a health-care organization, the exposure of a single medical record might lead to bad press and severe penalties under regional or national regulations. It is important to recognize the level of risk that is acceptable to your company — this forces you to identify the areas that are essential to your business. Identify physical assetsThe first — and perhaps easiest — step in your security analysis is to identify your company's IT assets, including such physical assets as notebook computers and portable storage devices. Once you know what you need to protect, you can recommend appropriate solutions and processes, including systems and network configurations, patch management, and hardware and software upgrade paths. Assess your business processesNext, analyze your business processes with security in mind. "An organization must know where data is kept, how employees store information, and how it is exchanged internally and externally," says Michael Cobb, managing director of Cobweb Applications Ltd., a consulting firm based in Surrey, England, and a Microsoft Most Valuable Professional (MVP). For example, employees may rely on low-security applications such as instant messaging to exchange files with others inside and outside the enterprise, or they may store proprietary data on a notebook computer without encrypting it. Such activity calls for new policies from the IT department so that employees don't unwittingly compromise sensitive corporate data. An honest assessment of core processes — with input from cross-functional teams — helps identify weaknesses and potential failure points. Perhaps you review your company's employee termination process and discover that there's no mechanism to ensure that a business manager or human resources manager submits forms to revoke system access and e-mail privileges. If you make this procedure mandatory — and build in the proper workflow — it's possible to eliminate days, weeks, or months of unauthorized access. Rank your security needs by importanceAfter you have finished your business-process analysis and made any necessary changes, it's time to prioritize security needs. A basic numerical rating system that ranges from 1 to 3 (low, medium, and high) should provide a starting point to determine which systems and assets are most important. Rate the impact of events resulting from a security breach (such as network downtime or financial costs) on that three-point scale. The resulting matrix should provide insight into what demands the highest priority. More ways to develop a plan that makes a difference| • | Focus on events, not timelines. Although it's often wise to develop a detailed one-, two-, or five-year plan for IT security, know that security needs continue to change. "New technologies and new threats are constantly emerging," Cobb notes. Therefore, focus on policies and procedures that maximize flexibility and accountability, and review your plan on a regular basis. | | • | Define security responsibilities across the organization. Include them in job descriptions to make security management real. For example, a sales manager may need to carry a notebook PC with customer records and other sensitive data. That individual should be responsible for protecting the data — through encryption, authentication, and other methods. | | • | Outline a series of steps to follow during a security incident. This can help prevent employees from panicking. After any incident, set up a session with managers and key security staff members to discuss what worked and what didn't work. | | • | Match the solution with the risk. Focus on the areas of highest business risk first. For a financial institution, for instance, tools that scan outgoing data for certain numerical strings, such as account numbers or a Social Security number, might top the list. For a call center operation, applications that block incoming e-mail attachments might prevent malware from shutting down critical operations. | | • | Develop a security approach that's flexible but enforceable. This means that any policies and technologies should not undermine productivity. For instance, you may need to let certain employees use portable flash memory devices — which carry a security risk. The IT department must ensure that those employees have access only to appropriate data for their job role, as defined by their managers. Striking a balance between practicality and security is a delicate matter, especially as an organization grows and its IT infrastructure becomes more complex. Technologies such as Microsoft Windows Server 2003 Active Directory can help manage roles and responsibilities. | | • | Finally, monitor systems and log files on a regular basis. This helps to identify potential problems and respond to changes quickly and efficiently. |
While there's no simple way to address security concerns in today's business environment, a thorough assessment process and business-aligned security plan are the best way to reduce risk. "Sound security practices are never an accident," Cobb concludes. "They're the result of careful and thoughtful analysis, and they involve all corners of an organization." Samuel Greengard is a West Linn, Oregon, writer who specializes in business and technology. He is a regular contributor to the Microsoft Midsize Business Center.
| |
Subscribe
to feed
