Locking Up: Security To-Do ListLocking Up: Security To-Do List

Most companies are looking more seriously than ever at security, and new initiatives are receiving greater financial support than they have in the recent past. Experts advise businesses to re-evaluate computer security practices in the wake of the Sept. 11 attacks.

Check computer security policies and computer security systems to make sure they're in sync. Conduct a security audit of policies and systems. The audit will bring to light major network and operating-system vulnerabilities. Review the audit results and set priorities for what needs to be fixed. Tackle the most critical problems first, says George Kurtz, CEO of computer-security consulting firm Foundstone Inc. Once is not enough-run the audits at least annually. Make sure security policies are implemented consistently across departments and computer sys-tems. Internal security gaps, if left unaddressed, provide an easy way for hackers to penetrate IT systems. Make sure IT departments have the latest versions of software, bug fixes, and security patches installed on critical systems. (The Code Red virus was able to spread because many companies simply didn't install a patch Microsoft had made available for its Internet Information Services Web server.) Implement intrusion-detection software that automatically scans a network for attempted incursions. Don't scrimp on security expertise. If you haven't already, create a chief security officer position and make sure the administrators managing key networks and applications are fully trained. An improperly configured router or firewall can provide just the sort of open door a hacker needs to slip in undetected. Implement behavioral security measures that monitor employees' use of technology resources. If someone's behavior deviates from normal practice, says Christopher Darby, CEO of security consultant @Stake, investigate the situation. close this window