Enterprise Security Policies: Protecting Corporate Systems And Proprietary Data Assets

Are your corporate networks, intranets, extranets and e-commerce transactions secure from attack? Increased use of the Internet, networking capabilities and e-commerce transactions by organizations have tremendously increased the potential losses from inadequate security. A recent survey of management at several top public and private sector organizations in the United Kingdom, commissioned by Dimension Data, showed that fifty four percent of information technology managers admitted their organizations did not have a security plan in place or were not sure one existed. These statistics are not surprising considering recent security breaches at companies such as Yahoo and Microsoft. In the case of Microsoft, a teenage hacker may have accessed proprietary source code for a significant period of time. The Computer Security Institute also announced that of respondents to their recent survey, primarily large corporations and government agencies, ninety percent reported cyber attacks in 2000 resulting in more than $275 million in financial losses.

Inadequate security can cause short-term losses to an organization including website damage, viruses, system downtime, fraud, theft or access to proprietary data and the cost of repair and recovery. Long-term, these damages may result in loss of business and revenue as well as bad publicity to the benefit of competitors. Worse yet, these threats more likely originate from within an organization than from outside. These perpetrators are often employees who have access and codes to penetrate corporate systems. Every organization needs an enterprise security policy to protect corporate data and technology assets. An effective security policy is a continuous process developed and implemented by management, affecting all aspects of corporate data assets, fundamental business processes and functions throughout an organization.

Development of an enterprise security policy begins with a technology assessment measuring vulnerability of existing systems and potential for loss and a risk assessment identifying and valuing data assets to determine an acceptable level or risk. These preliminary assessments result in short and long-term goals and parameters of an enterprise security policy. With these assessments appropriate controls can be implemented to effectuate the goals of the enterprise security plan.

The enterprise security policy, the reasons for it and related controls must then be communicated to employees, continually reinforced, maintained, updated and supported by management. Lack of support and reinforcement by management can lead to circumvention of controls and decreased productivity of employees. Statistically the number one security risk in an organization is an unhappy employee or former employee, which is amplified by today's high turnover rate.

Technology Assessment

An organization must consider its particular business objectives and technology needs in developing an enterprise security policy. The development process should begin with assessment of...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT