Internet Security
SECURITY ADMINISTRATION

 

Managing the Internet security program requires confirming that all elements of the program are implemented. The critical paths and time line for the program are major benchmarks to be used in judging the administration process. If delays in implementing critical program elements threaten the success of your program, you should determine the importance of those facets of  the program and act accordingly. Procuring and implementing intrusion detection systems throughout the company may, for example, prove to take more time than anticipated. A reasonable interim strategy might be to implement these systems in the most business-critical systems within networks that connect to the Internet. Full  implementation of these could be delayed.

Once the elements of your company's Internet security program are installed, proper security administration requires verifying that they remain in place and continue to achieve the purpose for which they are intended. Regularly and systematically examining each element of the program is a logical course. In doing so, you may  discover, for example, that some users have set up unauthorized modems to  their host machines.

The basis for your discovery could be findings from an audit, interviews with users, or the use of a "war dialer", ,a program that dials one telephone number after another and records connection tone. Determining the severity of the problem detected, and then developing a reasonable solution to be implemented within an appropriate time period are constant challenges for any business.

Good security administration also requires thorough documentation of any evaluations and feedback about the program status. Close  communication with  other groups such as IT, audit, and central business units is an additional ingredients for success.

Perhaps our most important recommendation here is to approach the issue of compliance in a reasonable manner that balances business goals with security needs. Each business unit has its own computing needs. Special projects sometimes require temporary relaxation of the Internet security control measures. Avoiding extremely rigid, uncompromising stands while still progressing toward effective security maximizes the chances of having a successful program.

Case Study : Internet Security Administration
Every network that Company X owns is connected to the Internet. The user community and the computing needs within this US firm are diverse; it has many production systems in addition to dedicated research and development systems connected to the corporate networks.

Because security needs for the many computing environment differ, security administration is very flexible. The company's corporate Internet security policy includes mandates for dealing with UNIX security exposures. Business unit managers must respond within two weeks to every vulnerability described in the vendor-initiated notices that are distributed widely  within the corporation. Response options include the following :

  1. Immediately fix the vulnerability in all systems within the business unit.
  2. Commit to fix the vulnerability in all systems within the business unit by a certain date
  3. Request a partial or full waiver of the requirement to fix the vulnerability for some or all systems within the business unit. In this event, the business unit manager must submit a rationale based on business justification.

Requiring a response within two weeks helps ensure that every business unit pays attention to and performs a cost justification analysis for each announce vulnerability. Allowing a degree of leeway in dealing with the vulnerability accommodates the needs of individual business units and, perhaps most important, conveys a reasonable attitude on the part of the security administration function.

 

References : 
Terry Bernstein, Anish B. Bhimani, Eugene Schultz, Carol A. Siegel, Internet Security for Business, Wiley Computer Publishing, John Wiley & Sons Inc, 1996 


[Home] - [Isi Buku Tamu] - [Lihat Buku Tamu] - [Email]
Copyright © 1999-2007, InVirCom. All rights reserved.