In today’s world, the use of Internet, essential for organizational development carries considerable risk to confidential business information. The article on ‘IT- Security Strategy’ describes how security strategy must be flexible enough to protect an organization when large amount of data is added or removed from the organization. Interestingly, IT security is compared to a sealed glass box which contains a green liquid that represents corporate data. The author then explains how the ‘lid’ of the glass-box can be removed to provide flexibility to incorporate the demands of employees and customers. Further, Importance of categorizing data into different components, developing pathways to move the information to other business groups and allowing secure access of data is emphasized.
It can be inferred that the following important security measures should be included in the IT security strategy:
1. Access Control: It refers to security features which control who can access resources in an organization. This can be modeled into a multi-level hierarchy and is represented by a security matrix. In this article, the author provides the analogy of users pouring different colored liquid in the glass box and fixing the position of the liquid at specific places in the box.Again, different spigots can be used to remove the right liquid.
2. Change Control and Configuration Management (CM): In the IT standpoint, this can be denoted by different versions of the software maintained in a database. Further, several instances of the configuration items can be maintained for development and quality assurance purposes respectively. Browser s and Operating Systems should be regularly updated and should implement good patch management practices. The article describes that the CM process defines when the spigot of the glass box can be opened.
3. Internet Usage Policy: This policy defines the type of websites that can be accessed by the employee for completing his/her tasks. Some organizations can also limit the bandwidth of data that can be uploaded and downloaded by an employee. Educating employees on the current security threats will help a lot in reducing the risk of a malware attack.
4. Grouping of Data: Corporate data can be divided into different sensitivity levels, criticality levels and on access frequency levels. Depending on these measures, Internet Monitoring software could be implemented to enforce security strategy and to encrypt confidential data.
It is worth noting that, no single measure can completely eliminate the risk of a malware attack, but a well thought out security strategy will go a long way in minimizing the frequency of these attacks.
IT Security Strategy: Thinking Inside and Outside the Glass Box