11:14 AM

Chart A Plan For Security

Following these four steps will help you shore up your systems.

I.T. departments are under pressure to cut their operating costs, but they're also being asked to improve and standardize information security. Because security doesn't come cheap or easy, technology managers need to chart a clear plan to effectively assess and strengthen security.

Companies once satisfied with distributed and heterogeneous security measures are implementing centralized security infrastructures. Drivers for this upswing include increased industry regulations, especially in health-care and financial services, terrorist threats, and a trend toward the centralization of IT resources in general, as organizations use the economic downturn to retrench IT infrastructures that spiraled out of control during the late '90s.

To ensure a sound security strategy, Doculabs recommends a phased approach, concentrating on four steps. First, assess existing investments and policies. Take an honest, high-level inventory of security-related systems and policies.

Second, perform a gap analysis. How quickly does incident reporting lead to a response? Could both operational efficiency and security be improved by changing a process or technology, such as a more effective identity-management system? If both can be improved at once, it may be easier to develop a concrete return on investment (more on that later). In this phase, it's important to delve into the technical details. It's also a good point to bring in outsiders to help in the planning process or even to attempt to break into systems and find vulnerabilities.


Authentication: Verifies identity by a physical "key" (i.e., smart card), knowledge system (password), or biometric methods (thumbprint)

Confidentiality: Lets a message or file be viewed only by intended recipient, usually through encryption

Integrity: Alerts if data's modified en route, usually using digital signatures

Nonrepudiation: Proves a message was sent by the specified party--a digital receipt

Data: Doculabs

Next, develop a security plan and implement changes. Based on the vulnerabilities and opportunities discovered in the first two steps, create an overarching security plan and a phased implementation schedule for necessary components. Not until the plan is assembled does it makes sense to start evaluating vendor systems required for implementation. Keep in mind that vendor product designs should not dictate the system design.

Finally, monitor and optimize the system. The work doesn't end once the new security plan and systems are in place. New security threats arise daily, so it's important to have someone on staff dedicated to ongoing threat-assessment monitoring. Additionally, security is often at odds with utility and performance--increase one and the other may decrease. As business requirements change, there may be a need to re-evaluate this balance.

Besides electronic security, there are other areas to consider, including physical security and operational training. Physical security is crucial. The principles of security-technology infrastructures become moot if an intruder can simply walk in and access critical systems. In a similar manner, if operational training isn't in place, a company is open to social engineering: Attackers pretend to be employees, convincing unwitting users to give them valuable information or access to systems. Formal policies around areas such as remote access help employees to recognize and report suspected social engineering.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.