Security Philosphy

Security management
I would be interested and knowing if other companies have a defined and documented security philosophy for IT security and how you implemented it.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hi there

I can only recommend you to have in place a security policy (issued by top mgmt) and a security plan (implemented – at best – by the IT officer jointly with the overall security responsible).

How to do it?

There are several frameworks on how to do it. BS7799 including ISO 17799 In addition you will find several frameworks from consulting firms (both general consulting and technical oriented consulting). Hard to say which is best, but to have one is key.

How did we do it?

1. Issue a security policy (general statements issued by the top mgmt/CEO, 2-3 pages; content: goals, scope, tasks/duties, responsibilities, security organisation)
PS1: Please clearly define whether you are dealing with information security (which is broader in scope) and/or information technology security.

2. Work out a security plan (operational guide/work-book/plan/handbook; yearly/periodically revised; issued by the IS/IT security officer/responsible; content: a) analysis of current state (systems, networks, applications, organisation etc), b) risk analysis (threat analysis), c) IS/IT security goals, d) implementation plan (measures, resources), e) audit/controlling and start over with a)

3. Compile, issue, communicate and audit guidelines where appropriate backed up with a list of operational measures depending on the threats you identified in 2b -> “what do i do if…” (areas most likely would be: mail and internet use, disaster recovery, physical security, loss of mobile devices, etc….)

That’s how we did it in my former job where I was CIO (company with 4000+ employees, 120+ locations all over Europe).

If you need any further assistance, please let me know. Maybe we can strike a deal…


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • BigBob
    Our VP of IT has laid out and implemented security policies. They are user based, so whether a user is in windows explorer, ms outlook or our document portal, the user is only allowed to view demeened items by their group, then user definitions. Each user is assigned to the appropriate group(s) and each group has been given their viewing rights. It does take time and meetings to create these groups and definitions, but it saves in the long run. Also, be sure to use the proper software to help you do this. Our document portal is currently on win2000 servers, but we are deploying a new version August 1st on .net/2003. This is what prompted us to do the definitions now, so we could easily define and migrate in August. We are also employing RSA's federate identity for customer and vendor relationships.
    0 pointsBadges:
  • VnvRrw2C
    It would also depend upon what model of security is used in the organization. The implementation of security around user and role based is different than the HR org based, which is generally position and personnel number driven. If your organization does not use HR module, the choice would be limited to user and role based security. One critical factor to consider due to impending SOA requirements is the Segregation of duties, which requires much bigger framework to identify the users and user group assignments as well as rule building to avoid conflicting access assignment to users. The toughest part here is that SAP does not have a robust functionality around SOD. There are few good softwares in the market, which can help to manage roles, document them and control SOD conflicts / access to critical transactions etc. I can provide more information if you need it.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: