dockside.net Inc. - eBusiness Solutions for Professional Web Planning, Development and Marketing

ComputerLink articles by Brian Pitre

Security Policy: The First Step to an Effective Intranet Implementation

By definition, an Intranet is a secure portion of an organization’s Website. Many people, however, incorporate a technology (a firewall, for example) into their Intranet to ensure the strength of their security. The first step to an effective Intranet, however, should not be technology – it should be a well-designed security policy recognized by company employees.

Most computerized firewall vendors say that their security has never been technically breached, and for the most part that’s true. But if you walk through any moderate sized company, you are sure to see a few people that have their user name and password stuck to their monitors. No single technology is equipped to correct that form of security breach.

The notorious hacker Kevin Mitnik of South Carolina who robbed credit card numbers from a bank exemplifies the importance of security policy. Instead of devising a clever technical scheme, he played upon people’s ignorance about the importance of technological security.

Using a cloned cellular telephone to avoid tracing, he called a bank and told an unsuspecting employee that he was calling from their internal information systems department. He said there was a problem with the bank’s computer systems and asked them for their user name and password. Mitnik assured the unsuspecting employee that he would call back with a new password once the problem was fixed. Armed with the passwords, he removed 100,000 credit card numbers in a few minutes.

Statistically, the number one security risk in an organization is more likely a disgruntled employee or a malicious former employee rather than an unknown hacker. Many organizations are using more technology so they need fewer people to operate their business. Ironically, some of the people who lose their job become potential threats to the organization’s information security. Management, however, often fails to take the time or spend the money to train people about protecting technology. But as companies adopt more dependence on computers and networking, its security policy should become a primary focus.

With today’s high rate of IT personnel turnover, CEOs and top corporate officers need to protect their organization’s security by considering the employment of a trusted third party. Using outside resources with a broad base of experience and no political agenda can play a crucial role in security policy. Although many organizations may have a competent staff, an outside resource can provide independent audit capabilities and an independent review of security policy.

Since security risks have increased over the past two years by nearly forty percent, organizations must become clearer on the level of risk they are willing to assume. An organization should set budgets that include the potential financial loss if security is breached.

A recent survey by Earnst & Young found that seven out of ten companies could not define measurable financial loss in their organization while other companies reported losses would be greater than one million dollars. Armed with a practical perspective about Online security will determine what level of security your organization requires. A bank, for example, requires a higher level of security than an internal manufacturing production schedule, but one thing is certain - you need some level of security in your organization right now.

The general outline for adopting a good security methodology includes defining policy, auditing, securing systems, monitoring, testing, employing trusted third parties, and continuously improving overall security by focusing on organizational education.

In the majority of cases, a well-formed security policy requires that every employee in the organization understand security responsibility. It is often the social elements of security that are more difficult to handle than the technical ones.