Advertisement
 
To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------
Essential steps to a secure network

By Louis Nel, MSCE, TechRepublic
November 26, 2002
URL: http://www.zdnet.com.au/news/security/soa/Essential-steps-to-a-secure-network/0,130061744,120270197,00.htm


IT pros know that a solid security plan includes more than firewalls, patches, and hot fixes. Follow this plan to achieve optimum security by building a systematic and structured foundation.

We all claim to understand the importance of network security. We stand around water coolers chatting about this worm, that newly discovered security hole, this patch, and that hot fix. As IT managers, we know it’s our job to ensure that all the latest patches are not only applied, but applied immediately. And thank goodness for antivirus autoupdates and firewalls.

But a proper security requires much more. It necessitates a systematic, structured approach; without one, your design might end up with many gaping holes.

According to the paper, "Best Practices for Enterprise Security", which appeared on Microsoft Technet:

“The term computer security is a generalisation for a collection of technologies that perform specific tasks related to data security. Using these technologies effectively to secure a corporate network requires that they be integrated into an overall security plan. The planning process for their proper implementation involves:

  • Gaining a detailed understanding of the potential environmental risks (for example, viruses, hackers, and natural disasters).
  • Making a proactive analysis of the consequences of and countermeasures to security breaches in relation to risks.
  • Creating a carefully planned implementation strategy for integrating security measures into all aspects of an enterprise network, based on this understanding and analysis.”

Not only will a structured, well-planned approach save you more time than you invested in the planning, it might well save your job.

Do a risk assessment
To secure a network, you must first do a thorough risk/threat assessment. That’s easier said than done, but it need not be an insurmountable task, either. All you need is the right approach. The important thing to remember is that this is not a one-person show (or even an IT department show). To get the bigger picture—as well as all the little details—you’ll have to consult widely within the company.

First, get an executive with clout on your side—someone who can back your efforts. It will make it clear to all involved that this is not just “another IT department thing,” but an initiative with the blessing of the “powers that be.” It might just make some busy manager a little more cooperative.

Now sit down and think. Draw up a detailed list of questions you need answers to. Run that by colleagues and peers. But always remember to keep the list “open”—always ask the people you’re interviewing what else they can think of or would like to add. You might be surprised what someone comes up with.

Start with the general and work your way down to the particular. Ask yourself—and the executives, managers, and department heads—about your company’s business plan. Your company’s annual report is a useful and often overlooked source for such information (and a good overview of your company structure).

A hint: Don’t simply distribute a questionnaire with a deadline slapped onto it. You’ll most likely get back a rushed response, probably even delegated to someone who doesn’t have all the answers (or the time or inclination to answer). Set up meetings and interview people. This strategy has the added bonus that it will get them thinking about security—even after you’re gone.

Tip
An excellent tool for a security analysis is Microsoft’s free Security Advisor (ITASecur.exe) from its IT Advisor series. You can download the file here.

Weigh the value of the asset
When doing risk assessment, always keep in mind that to determine the risk, you have to determine the value. The more valuable the asset is, the greater the need for its security. This may seem pretty obvious, but it’s something that people often lose sight of. It’s also not always obvious what those “assets” are.

Here’s an example: A consultant interviewed the CEO of a large corporation. At the end of a fruitful discussion, both were pretty certain they had it all covered. It was over coffee that the CEO proudly revealed that his company is working on a new product that’s sure to take the market by storm. Further investigation by the consultant revealed that engineers working on the product carried around highly confidential information relating to the product development on their laptops—unencrypted. E-mail relating to the project was not encrypted either.

Once you have the bigger picture about your company’s structure, business processes, communications, assets, and so on, you’ll have a good idea what needs to be secured. Now is the time for the IT department to sit down and discuss the best ways to secure those assets and processes. Also, establish immediate, short-term, medium-term, and long-term goals.

It’s also the time to determine the need for training. Is your IT department up to all the tasks, or is training needed?

Once implemented, monitor the security set-up on an ongoing basis. And review your security plan regularly, because as companies change, so does the security landscape.

Security plan summary

  1. Get backing
  2. Plan before you start
  3. Have a structured, but open-ended approach
  4. Consult widely
  5. Implement
  6. Monitor
  7. Revisit, review, and redo

Sign up for the Internet Security TechMail today!
Get valuable tips, links to security alerts and resources, and much more, all delivered straight to your inbox, absolutely free.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2001 TechRepublic, Inc.


Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.