Network Computingwww.networkcomputing.com

		our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

When it comes to security, you have no choice--you need a strong security policy and a mechanism to enforce it. The first item on your security policy list should be personnel security, or if you'd like, securing your information and systems from the people on the inside. The second item should focus on physical security, or securing your systems from people you don't know or who sneak through or around the doorway.

Slime Happens Everyone thought he was a nice guy. Everyone thought he knew his technology. Everyone got along with him. Everyone was surprised when he turned out to be a malevolent, conniving thief who stole from under everyone's nose. Everyone was indignant when he was escorted out of the building by security. Everyone was amazed how the wool was pulled over their eyes. Everyone was astonished that he got away with it. No one should have been surprised.

You know exactly who I'm talking about. After all, it seems that everyone has one or two of these tales of terror to tell.

Management in the computer industry (this means you) keeps its head in the clouds and its nose to the grindstone. The work ethic of countless IS professionals has built the U.S. software industry into a world leader. Unfortunately, this focus blinds us to the reality of the lack of ethics in the underbelly of our industry. There are people who have replaced any type of ethics with a seemingly endless ability to produce one scam after another.

This lack of awareness often leads us into the equivalent of a boxing ring, but we're dreadfully unaware that a fight is about to begin. Our opponent gets in the first punch and only then do we start wondering how we might defend ourselves. We don't anticipate the danger, therefore, we have neither a defense nor an offense. This no-win situation is one in which we hope we'll never find ourselves.

This analogy is not something out of the late '80s Wall Street, Book of the Five Rings, a samurai approach to marketing and competition. Everyone knows it's a competitive market. That knowledge implies a certain readiness on our part, and that readiness means success. But we never seem to translate this readiness into the ability to recognize the, we hope, rare--though nevertheless certain--appearance of individuals who will, among other things, misrepresent their skills and bilk you out of your staff budget, deliver intelligence to your competitors, hack your site and steal your equipment.

You can work for years and never run into these problems. But in the interest of being prepared, managers need both a good defense and a good offense so that they can act quickly should the signs of compromised physical security or an employee who has misrepresented his or her skills begin to show.

Looking Over Your Shoulder Risk assessment is commonly defined as the likelihood of attack for a given resource. In my experience, the most likely resource for attack is that which can be most directly converted into money.