SECURITY: WHAT TO DO NEXT

by Steve Andriole

These days, it seems that everyone is interested in all aspects of security, privacy, and business resumption planning (also known as disaster recovery). Auditors are scrambling to ensure that their companies are prepared for all sorts of contingencies they only imagined might happen in 2000 (when they were worrying about Y2K compliance fallout). Today, auditors are developing "minimum acceptable security standards" to make sure their clients have considered all aspects of internal security and privacy.

Although the data suggests that we're doing okay overall, here's a list of 15 things you can do today (if you haven't already done them):

1. Design and write a security policy.
2. Design and write a privacy policy.
3. Develop an overall technical and procedural security/privacy architecture.
4. Communicate the policy and architecture and develop some training around the programs.
5. Enhance your existing password authentication tools and procedures; explore alternative authentication methodologies, including biometrics and smart cards.
6. Investigate firewall technologies continuously since they're changing all the time and are your first line of defense.
7. Redefine your access policies to networks, applications, and databases; revisit employee, supplier, and customer access requirements -- some may no longer be valid or reasonable.
8. Explore alternative administration tools and techniques, especially those embedded in larger network and systems management frameworks; develop some metrics to determine what the total cost of ownership and effectiveness return on the investment would be to justify deployment of a serious framework.
9. Review your disaster recovery plans and determine whether they're adequate to resume business if a disaster strikes; set up procedures to review the plans at least twice a year; try to get them well defined and well funded.
10. Look at your security/privacy management team: check to see whether it's adequately funded and whether it reports to high enough managers in the organization.
11. Determine whether you need a chief security officer.
12. Determine whether you need a CPO.
13. Check the funding for security and privacy and determine whether it's adequate.
14. Look at your security sourcing and determine whether you have the right mix of insourcing, cosourcing, and outsourcing arrangements necessary to satisfy your security and privacy requirements.
15. Determine whether your supply chain and transaction partners have adequate security and privacy to support your emerging e-business models.

--Steve Andriole, Senior Consultant, Cutter Consortium