11:14 AM
The Analytics Job and Salary Outlook for 2016
Jan 28, 2016
With data science and big data top-of-mind for all types of organizations, hiring analytics profes ...Read More>>

Chart A Plan For Security

Following these four steps will help you shore up your systems.

I.T. departments are under pressure to cut their operating costs, but they're also being asked to improve and standardize information security. Because security doesn't come cheap or easy, technology managers need to chart a clear plan to effectively assess and strengthen security.

Companies once satisfied with distributed and heterogeneous security measures are implementing centralized security infrastructures. Drivers for this upswing include increased industry regulations, especially in health-care and financial services, terrorist threats, and a trend toward the centralization of IT resources in general, as organizations use the economic downturn to retrench IT infrastructures that spiraled out of control during the late '90s.

To ensure a sound security strategy, Doculabs recommends a phased approach, concentrating on four steps. First, assess existing investments and policies. Take an honest, high-level inventory of security-related systems and policies.

Second, perform a gap analysis. How quickly does incident reporting lead to a response? Could both operational efficiency and security be improved by changing a process or technology, such as a more effective identity-management system? If both can be improved at once, it may be easier to develop a concrete return on investment (more on that later). In this phase, it's important to delve into the technical details. It's also a good point to bring in outsiders to help in the planning process or even to attempt to break into systems and find vulnerabilities.


Authentication: Verifies identity by a physical "key" (i.e., smart card), knowledge system (password), or biometric methods (thumbprint)

Confidentiality: Lets a message or file be viewed only by intended recipient, usually through encryption

Integrity: Alerts if data's modified en route, usually using digital signatures

Nonrepudiation: Proves a message was sent by the specified party--a digital receipt

Data: Doculabs

Next, develop a security plan and implement changes. Based on the vulnerabilities and opportunities discovered in the first two steps, create an overarching security plan and a phased implementation schedule for necessary components. Not until the plan is assembled does it makes sense to start evaluating vendor systems required for implementation. Keep in mind that vendor product designs should not dictate the system design.

Finally, monitor and optimize the system. The work doesn't end once the new security plan and systems are in place. New security threats arise daily, so it's important to have someone on staff dedicated to ongoing threat-assessment monitoring. Additionally, security is often at odds with utility and performance--increase one and the other may decrease. As business requirements change, there may be a need to re-evaluate this balance.

Besides electronic security, there are other areas to consider, including physical security and operational training. Physical security is crucial. The principles of security-technology infrastructures become moot if an intruder can simply walk in and access critical systems. In a similar manner, if operational training isn't in place, a company is open to social engineering: Attackers pretend to be employees, convincing unwitting users to give them valuable information or access to systems. Formal policies around areas such as remote access help employees to recognize and report suspected social engineering.

1 of 2
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.