The News.com Lounge: Security: Do those in charge really understand?

Security: Do those in charge really understand?

Many IT Security Heads I've met don't really understand the importance of security.

As such, they cannot successfully explain the need for a larger security expense layout.

And many depend too much on outside help and much of that outside help charges too much and provides too little leaving them with little choice but to go for what ever they can afford.

Security should NOT be outsourced.

IT Security Management are mainly obsessed with protecting their company from internet hackers, but many often don't realize the internal exploitability of their data.

For years now it has been foretold that with the advent of 3rd generation firewalls, most of the internet worries have been muffled, but the threat-from-within is just as rampant as ever.

Have all of their employees been informed about social engineering, what it's all about and how to prevent such social engineering attacks when they occur?

Have all of the important customer databases and customer confidential information been properly classified and stored in restricted folders on servers ONLY? Do they have a system in place which disallows such data to be stored locally on their PC? If not, do they have the means to track where such data was copied, who copied it and where they copied it?

Do they have security software installed on all of the PC's to ensure that non-approved memory sticks are not used/usable on front office PC's or backend servers?

Do they have an active policy of keeping track of who has what access to which data and whether that data access is really required or not? Also, do they review that policy and who has what access to which data regularly... at least once every 3 months? Those who require access to such information should not be given indefinite access to such data, but limited to a certain time period. Once that time period has elapsed, they should be required to re-apply for continued permission if they still required access to that information. Otherwise, their permissions should be automatically revoked.

Do they have the proper controls in place to ensure that confidential data is not moved from within the company to laptops? And should such data be required to be moved to a laptop, are the proper security controls in place to ensure that ONLY the required data is copied to that mobile PC, does that PC have a bios password and disk encryption system (other than Microsoft's standard method) installed. Is the administrator's password securely implemented and changed frequently? Likewise, does that PC have proper tracking information on it such that when ever it is booted up that they know the last IP where that PC was booted up at?

Do they ensure that the data which was stored on that PC has been properly erased (using special erasing software to ensure it was properly removed)?

Strong security requires management who understands security. All employees and management MUST be aware of the security policies and checks and balances to ensure that the internal security policies are properly implemented requires the attention and action by every management staff in the company to ensure that the lower echelons are also made aware of such policies and how to properly use the data which they're given access to?

Does the company have an E-learning system set-up in house which requires every employee to pass a monthly test to ensure that they're fully aware of the latest policies and new changes?

Is every level of management required to manage those below them as far as for whom has passed and whom has not passed the Security E-learning monthly training/quizes? Are management graded by how many people below them have completed each monthly training & quiz and are the management staff graded for their lower-echelon's performance scores?

Properly implemented security requires every employee to do their job including the upper management not only completing the training and quizes themselves, but also knowing and managing who has and has not completed the courses and the scores of each employee.

Do they have a proper employee deletion program in place such that as soon as employees leave the company that their accounts are disabled such that they cannot be used any more... and eventually, purged after the proper other security measures of securing and or deleting the records which that employee had on their PC?

And the list is really endless.

It's impossible to outsource this level of security... as it requires every employee's attention, understanding and participation to ensure the proper practices are effectively implemented.

FWIW