Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Top Tips For Best Security Practices

Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas.

Security pros are under increasing pressure to do the job right and cost-effectively as networks extend beyond firewalls to remote users, partners, and customers, and to cell phones, PDAs, and other mobile devices; regulatory requirements to safeguard data have risen; and concerns about identity theft are at an all-time high. Hackings and other unauthorized access contribute to the approximately 10 million instances of identity theft each year in this country, according to the Federal Trade Commission. "How sensitive is a company about being on the front page of the paper?" asks Pete Lindstrom, founder and analyst at Spire Security. InformationWeek and others have reported on a rash of cases involving inadequate security and poor handling of customer data. "If the value of assets is high, companies should follow security best practices," Lindstrom says.

To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.

Start With A Master Plan
It doesn't make sense to spend $10,000 to protect a $10 asset. That's the way Christofer Hoff, chief information security officer at Western Corporate Federal Credit Union, sees it. Every security-remediation plan requires knowing how important a specific asset is to the company before time and money are spent securing it. For example, an E-commerce server that brings in millions of dollars in sales is more important than a print server, so it's higher on the fix and secure lists.

CISO Christofer Hoff worked with business-unit managers to set security priorities.

CISO Hoff worked with business-unit managers to set security priorities.

It's all about intelligently managing risk, rather than knee-jerk reactions to the multitudes of threats, Hoff says. Instead of looking for "some Holy Grail security-management product," he set priorities with business-unit managers. Some of the questions they discussed: What would the impact to the business be if the main E-commerce server were compromised? And what exposure would the business suffer if it couldn't process millions of dollars in transactions? "Our business units define what's needed to stay online," he says.

  • 1