Big4Guy

In this ever changing world, information is constantly vulnerable to threats both internal and external in any organization. If there is a vulnerability in your information systems there is no doubt that it will be exploited sooner or later. Many of my clients ask me this question. Where do I start with Information security. Let me make it clear; achieving information security as such is not a destination but a journey. You cannot just install a firewall, sit back and say "I am Secure". Information security is a combination of many things. To start with, let me take you through the basic steps one needs to have a better security environment.

Document Security Policies - The first thing to do is define security policies for appropriate behaviours in all technical areas. Standards and guidelines should also be documented to assist in implementing high level information security policies. Policies could include, acceptable use policies, firewall policies, data management policy etc.

Install Firewalls - Firewalls play a key role in securing your networks. Having a firewall installed is like locking the door to your house and allowing in only people you know. There are a wide variety of firewalls available right from packet filtering, proxy, stateful inspection and application gateways. Each type of firewall methodolgy has its pros and cons. I would advise you to get some techical help on which firewall is suitable for your organization.

Enhance Physical Security - Physical security can go a long way in complementing other security soultions. Look around your office and identify point of physical access to information systems. Simple physical security solutions like just locking your door can help prevent theft of equipment, dumpster diving, etc.

Regular Backups - Backups serve as a sort of insurance in case of a disaster. A system failure can result in a loss of organizational critical data and consequently stop the operations. Backups are justifiable even if there is a need to rely on them just once. Determining what to backup, when to backup, how frequently to backup are but some of the issues one needs to take care of. It is a good practice to test your backup / replicate data for operations.

Secure Wireless Access Points - Without any protection on wireless access points an organization is very vulnerable to attacks. Using wireless networks have become a neccesity these days rather than an option. This is completely fine provided such networks are properly secured using 128 / 256 bit encryption.

Strong Logical Access Controls - Make sure your softwares, ERPs have strong logical access controls built in. Access should always be on a need to know and a need to do basis. Authentication and authorizations should be in place at all relevant places in your operating systems, middleware, development servers and most importantly in your production environment. There is no point in physically securing facilities if an internal staff can wreck havoc with unauthorized access.

Get Technical Help - Many organizations do not have the required technical knowledge to implement information security solutions. My advise is to get the required technical help. Technical help can be outsourced or internal. Trying to implement security without a strong understanding of the concepts can turn out to be a nightmare. Remember, security is not free, it comes at a cost.

More on Information Security >>

Types of Attacks , Denial of Service Attack , SYN Flood attack