Security Philosphy
I would be interested and knowing if other companies have a defined and documented security philosophy for IT security and how you implemented it.
Software/Hardware used:
Software/Hardware used:
ASKED:
May 13, 2004 4:11 PM
UPDATED:
May 24, 2004 1:02 PM
Answer Wiki:
Hi there
I can only recommend you to have in place a security policy (issued by top mgmt) and a security plan (implemented - at best - by the IT officer jointly with the overall security responsible).
How to do it?
There are several frameworks on how to do it. BS7799 et.al. including ISO 17799 et.al. In addition you will find several frameworks from consulting firms (both general consulting and technical oriented consulting). Hard to say which is best, but to have one is key.
How did we do it?
1. Issue a security policy (general statements issued by the top mgmt/CEO, 2-3 pages; content: goals, scope, tasks/duties, responsibilities, security organisation)
PS1: Please clearly define whether you are dealing with information security (which is broader in scope) and/or information technology security.
2. Work out a security plan (operational guide/work-book/plan/handbook; yearly/periodically revised; issued by the IS/IT security officer/responsible; content: a) analysis of current state (systems, networks, applications, organisation etc), b) risk analysis (threat analysis), c) IS/IT security goals, d) implementation plan (measures, resources), e) audit/controlling and start over with a)
3. Compile, issue, communicate and audit guidelines where appropriate backed up with a list of operational measures depending on the threats you identified in 2b -> "what do i do if..." (areas most likely would be: mail and internet use, disaster recovery, physical security, loss of mobile devices, etc....)
That's how we did it in my former job where I was CIO (company with 4000+ employees, 120+ locations all over Europe).
If you need any further assistance, please let me know. Maybe we can strike a deal...
Yours
Richi
To see all answers submitted to the Answer Wiki: View Answer History.
Our VP of IT has laid out and implemented security policies. They are user based, so whether a user is in windows explorer, ms outlook or our document portal, the user is only allowed to view demeened items by their group, then user definitions. Each user is assigned to the appropriate group(s) and each group has been given their viewing rights. It does take time and meetings to create these groups and definitions, but it saves in the long run. Also, be sure to use the proper software to help you do this. Our document portal is currently on win2000 servers, but we are deploying a new version August 1st on .net/2003. This is what prompted us to do the definitions now, so we could easily define and migrate in August. We are also employing RSA’s federate identity for customer and vendor relationships.
It would also depend upon what model of security is used in the organization. The implementation of security around user and role based is different than the HR org based, which is generally position and personnel number driven. If your organization does not use HR module, the choice would be limited to user and role based security.
One critical factor to consider due to impending SOA requirements is the Segregation of duties, which requires much bigger framework to identify the users and user group assignments as well as rule building to avoid conflicting access assignment to users. The toughest part here is that SAP does not have a robust functionality around SOD. There are few good softwares in the market, which can help to manage roles, document them and control SOD conflicts / access to critical transactions etc.
I can provide more information if you need it.