Protecting Your Corporate Network
"Next, they need to find where this data lives and what policies are needed in order to protect it," he said. "Finally, they need to implement effective enterprise-wide controls for consistent enforcement. The effectiveness of the final step-implementing proper controls-is reliant on a well-executed data identification and classification process that precedes it. "And before you can even start implementing a framework, you have to understand the scope and focus the overall effort, otherwise it will end up being a sinkhole in terms of cost and resources," he said.At Atlanta-based CDC Software, a provider of enterprise software applications, officials utilize a process that weighs the likelihood of a security event and its potential impacts to calculate a risk score. Click here to read
why domestic and foreign defense agency Web sites are wide open to penetration.
"This risk score helps to drive discussions and decisions around the prioritization of any needed remediation effort," said Walter Jeske, CDC vice president of IT. "The risks are initially established by the IT organization and then shared across senior management of our organization to elicit feedback. That way we can uncover additional risks and prioritize risk remediation.
"This process works best if it is initiated within IT and used as part of the IT prioritization/demand management process," he said. "One of the keys to success is to state the risk in business terms and be sure it is agnostic to the technology. IT personnel have a tendency to solve a problem with technology and then try to sell the technology solution to the business leaders. This will likely result in business leaders misunderstanding the business risks the technology is solving because IT and the business areas are both using different types of business languages in their interpretation."
Some security professionals also suggested enterprises establish metrics to measure how effective their security tools, policies and procedures are. Those walking into a new job for the first time should begin by looking at any previous security audits and talking to the heads of the various business units to see what their policies and concerns are, they said.
Overall, organizations should take a holistic approach to security and view technology as just one part, security professionals and analysts said. At Mercy Medical Center in Baltimore, hospital officials will be working to integrate logical and physical security, said Mark Rein, senior director of IT.
"Our goal is to provide employees a mechanism to secure ePHI [electronic protected health information], without compromising their access to required data," he said. Rein added that in the near term the hospital will use portal Web pages targeted to increase awareness of ePHI and the hospitals policies on data protection.
A unified approach to security is a key that includes education and technology, and where IT security policies align with business security policies will make for a more secure environment, Forresters Kark said.
"A lot more organizations now have, or at least are working towards, a framework that is aligned to the corporate security principles they have, the regulatory compliance mandates that they have to follow and kind of the corporate governance types of things and risk management types of things being all included in there," he said.
Check out eWEEK.coms
for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
In a recent survey of almost 200 organizations performed by Forrester, 37 percent admitted they had no data classification policy. In addition, 55 percent of respondents said they have data security policies that are either outdated or require significant changes to bring them in line with regulatory and company mandates, and 27 percent said their policy was rarely enforced.