COMPUTER BUSINESS REVIEW

Critical. Authoritative. Strategic.

TECHNEWS

CBR is proudly produced & published
by Technews
www.technews.co.za
Issue Date: August 2000 (es)

10 tips to protect business data

August 2000
Nanoteq Product Development Managers, Japie van Niekerk and Eric McGee

In South Africa, executives are becoming aware of the security issues affecting their company's technology infrastructures. But because security is essentially intangible, many feel they are either over or under protected.
The key to well-implemented security is to make sure that it is effective and that it does the job it needs to do. Analysis, not fear, should be what drives decisions.
1. Perform a security assessment
Managers need to identify the areas in which their businesses are vulnerable. Identify the information that needs to be protected and determine the impact it would have on the company's ability to do business if that information is lost.
Have an independent party challenge the company's security because internal staff are not the best judge of the business's potential pitfalls. A security audit/network assessment of this type should be conducted at least twice a year to determine how software and hardware additions and changes have affected security.
2. Create a security policy
Assess the risk and benefits of creating a permissive or restrictive policy and expect to be attacked both from outside and from within. The company policy should cover not only what is in place today but also how to deal with the addition of new computers, account creation and removal, password choices and changes, user behaviour and regular audits.
It is also important to have a contingency plan in place for the worst-case scenario and then work to make sure it does not happen. Disaster recovery procedures should be in place.
3. Do not forget physical access
Servers, routers and switches should be locked up in a restricted room. Anyone with physical access can wreak havoc within the network.
4. Keep up to date
Subscribe to security advisory mailing lists. Implement a procedure for getting updates, bug fixes and the latest patches.
5. Lock down the server operating systems
Disable any unneeded services and make sure administrator passwords are not static. Make sure that the remote management sessions across the network are encrypted and detailed authentication is done. Ensure procedures exist to remove former employees' accounts quickly. Audit network user accounts regularly to make sure they are not unnecessarily or incorrectly changed.
6. Restrict network access
Create day and time restrictions for employees who do not need around-the-clock availability because doing so leaves the network less open. Do not make Internet access default for systems such as HR applicant servers that do not need access.
7. Protect logs
Without protected records of what is happening, management will not know when the company has been compromised and will have little recourse against those who have caused harm. Also remember to capture audit logs in realtime from the operating system, database, middleware and applications to a centralised location for safekeeping. In addition, always maintain a strong back-up strategy for both data and security logs.
8. Dig multiple trenches
Take a layered approach to security. Move away from thinking that the organisation is secure with a firewall and basic network security. Use host-and network-based intrusion detection, application security schemes and file encryption in addition to firewalls which will provide better security around the network, operating systems, desktops, applications and databases.
9. Stay in touch
Make sure to set alarms to notify management immediately when something unusual happens in the network. Use multiple notification methods such as network messages, e-mail and pager messages to stay up to date.
10. Foster in-house security expertise or consider farming out the duties
Companies do not always have the necessary skills within and cannot expect to become experts overnight. Routing and DNS issues are complicated, each has its own nuances and someone who understands the current hazards will be needed. A small corps of in-house people devoted to security issues should be created or the outsourcing of security needs considered.
Thus, the good news is that companies can protect the information carried across computer and telephone networks. These days, securing these systems is not an option - it is a necessity.
For details, contact Nanoteq on tel: (012) 672 7000, fax: (012) 665 0343 or e-mail: info@nanoteq.com


Others who read this also read these articles

Search Site





Search Directory

  • Search for:





Subscribe

Previous Issues