Companies should formulate IT security policies and communicate them to their employees, the president of RSA Security tells Ziff Davis Internet Virtual Tradeshow attendees.
Companies must incorporate best IT security practices in their daily routines if they intend to protect data assets and instill confidence in their customers, the CEO of a high-profile data security company told attendees during a keynote speech online Wednesday at the Ziff Davis Internet Virtual Tradeshow.
Art Coviello, CEO and president of RSA Security Inc., told seminar attendees that only about 20 percent of businesses in the United States actually have formulated IT security policies and have communicated them clearly to their employees.
About 40 percent of companies are in the process of developing such policies, he said.
Best-practice IT security policies involve "reasonable and appropriate" controls, Coviello said, over online and internal data access and storage; logging and reporting; employee authentication and levels of permission access; business partner/customer access to company data; and compliance with Sarbanes-Oxley and HIPAA regulations.
"And dont forget one of the most common security problems we see: properly removing data access to former employees," Coviello said.
"Deleting but not de-registering a former employee completely from the companys IT system is one of the biggest headaches there is."
Secure data is a "business enabler," Coviello said, in that it gives customers confidence that their own personal informationif given through an Internet sales transaction, for examplewont be inadvertently made available to outside sources.
"Customers must have the confidence that companies that possess their personal information will handle it with due care and appropriately provide for its security," Coviello quoted Federal Trade Commission Chairwoman Deborah Majorus as saying recently.
Organizations need to come up with a "risk management profile" as a first step in gaining control over security issues and unforeseen problems, Coviello said.
"They need to assess the risks they now have, set some policies, develop a plan, and then implement and evaluate controls [on a daily basis]," he said.
This profile would include assessments of a companys Internet access (both wired and wireless), logging and reporting procedures, data storage and protection, access control of company data and other assets, and employee authentication procedures, Coviello said.
Click here to read more about protecting corporate data.
Risk profiles should be updated annually, Coviello said.
"The penalties for not having this kind of full profile are potentially harsh," Coviello said. "The stakes are being raised all the time. The loss of a companys reputation to security concerns can be absolutely fatal."
Coviello suggested that companies enact best practice policies in the following general areas:
Classify data by sensitivity and criticality
Implement appropriate information security controls
Monitor/evaluate controls on an ongoing basis
Implement appropriate authentication techniques
Keep authentication mechanisms effective
Protect storage & transmission of authentication information
Control authentication for access to external systems
Develop & enforce a strong password policy
Use multi-factor authentication when strong passwords fail
Use multi-factor authentication for remote access
Use multi-factor authentication for system administrators
Implement single sign-on systems
Control display of information in the log-on procedure
Set up emergency access procedures
Integrate access control with effective authentication
Restrict users knowledge of unauthorized functions
Separate security administration functions
Assign individual users unique credentials
Ensure timely user life cycle management
Remove inactive or redundant user accounts
Monitor guest/anonymous user accounts
Grant access rights based on least privilege
Conduct regular reviews of access rights
Use appropriate cryptographic techniques
Employ effective key management procedures
Use stringent root key protection measures
Ensure applications developed with appropriate security controls
Logging and Reporting
Protect logging mechanisms from reactivation or compromise
Ensure logged data is accessible for review
Capture user & event information
Utilize centralized logging
Record significant key events
Coviello currently serves as co-chair of TechNet New England and is a member of TechNets CEO Cyber Security Task Force.
He is also a founding board member of the CSIA (Cyber Security Industry Alliance) and was appointed to co-chair of the National Cyber Security Summits Corporate Governance Task Force, a public-private initiative co-organized by the U.S. Department of Homeland Security and leading industry associations.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.