How do companies implement a strategic information security program? - strategic agility
In almost all cases, there are large companies a miserable task of implementing and maintaining a program of the Information Security Management. How do you justify an investment, the security of information provided by companies to reduce risks and improve security, the enterprise while maintaining business agility and IT through to the bureaucracy?
Wednesday, January 20, 2010
Strategic Agility How Do Companies Implement A Strategic Information Security Program?
3 comments:
What? Is it time for the final exam or what?
I can tell you from personal experience that painful companies do not say in the implementation of data from the search for links technology, provided that the security in the infrastructure of technology, built on the lake or go with an all-powerful central government security. Our companies are fighting for the security, because it is difficult, a businessman who spend money on a risk, it is immaterial in size. In the best sense of his security team disaster scenarios to scare the joint funding of any current program of risk management. In the worst case, the IT security in the network group is buried.
Getting your arms around what it comes in with a comprehensive safety program is half the battle and that is has more to do with their business processes and firewall technology, personnel performance, or fantasy. First, define a program to the following categories:
1. Governance
2. IP / Information Management Professional Liability Insurance
3. Facilities
4. The common security and emergency management
5. Scan system and EventsMonitoring
Secondly, always, always difficult to metrics on user requests to access, collect critical, policy exceptions, and the system of examination results. You will use this data to the security based on user behavior increases the risk that the company be justified. Show that you receive and the spread of viruses and some attention from the society.
Third, to collect the tracking of these indicators, to a certain respect. You need to monitor and to changes in security threats to a measure of the number and severity of the events within the company's report is based. If you do a good job, its ongoing projects to address these issues of security risk priority than that, what anyone wants to cool gadgets to implement.
Finally, consider security as a process, not as an instrument and is also against the computer with the clowns and toys for their AV IDS. The processes are defined, measured and optimized, while the technology of today is tomorrow's landfill.
And ... If a company wants to IM Consultingcomplete a "governance framework, with the COSO / COBIT / ISO methodology, based on their" door security company, "a rope. Death too good for them.
SQL servers are great for safety, but have weaknesses that leave them vulnerable. If, however, be updated, it must reduce their vulnerability. Then the company needs to get a program such as Novell Deskworks certainly not run unwanted programs. Combine that with a more stable, fast server AMD processors (be is the infamous crash and Intel Xeon) Memory loss. Who Should all the information you need. Hope it helps!
-Cybersnark
Most companies use a combination of the AV Control Center automates and do training for users, which, if you get a virus or by e-mail. From the point of view, no matter how high the combination of a device Thu May are in your network of people still found a way around its INFOSEC. The best way to reduce the risk is user education and strict firewall / proxy policy. Scanning of incoming and outgoing e-mails can track whether someone is liberal with their data. His true mobility for users of the Internet is limited by tight security, but is easier, except in cases of users who take the leave all the open network. I hope this is something similar to what you are looking for.
Post a Comment