Organizations Urged to Stay Protected from IT Security Threats

By Chris Preimesberger  |  Posted 2005-09-14 Print this article Print

Companies should formulate IT security policies and communicate them to their employees, the president of RSA Security tells Ziff Davis Internet Virtual Tradeshow attendees.

Companies must incorporate best IT security practices in their daily routines if they intend to protect data assets and instill confidence in their customers, the CEO of a high-profile data security company told attendees during a keynote speech online Wednesday at the Ziff Davis Internet Virtual Tradeshow. Art Coviello, CEO and president of RSA Security Inc., told seminar attendees that only about 20 percent of businesses in the United States actually have formulated IT security policies and have communicated them clearly to their employees. About 40 percent of companies are in the process of developing such policies, he said.
Best-practice IT security policies involve "reasonable and appropriate" controls, Coviello said, over online and internal data access and storage; logging and reporting; employee authentication and levels of permission access; business partner/customer access to company data; and compliance with Sarbanes-Oxley and HIPAA regulations.
"And dont forget one of the most common security problems we see: properly removing data access to former employees," Coviello said. "Deleting but not de-registering a former employee completely from the companys IT system is one of the biggest headaches there is." Secure data is a "business enabler," Coviello said, in that it gives customers confidence that their own personal information—if given through an Internet sales transaction, for example—wont be inadvertently made available to outside sources. "Customers must have the confidence that companies that possess their personal information will handle it with due care and appropriately provide for its security," Coviello quoted Federal Trade Commission Chairwoman Deborah Majorus as saying recently. Organizations need to come up with a "risk management profile" as a first step in gaining control over security issues and unforeseen problems, Coviello said. "They need to assess the risks they now have, set some policies, develop a plan, and then implement and evaluate controls [on a daily basis]," he said. This profile would include assessments of a companys Internet access (both wired and wireless), logging and reporting procedures, data storage and protection, access control of company data and other assets, and employee authentication procedures, Coviello said. Click here to read more about protecting corporate data. Risk profiles should be updated annually, Coviello said. "The penalties for not having this kind of full profile are potentially harsh," Coviello said. "The stakes are being raised all the time. The loss of a companys reputation to security concerns can be absolutely fatal." Coviello suggested that companies enact best practice policies in the following general areas:
Risk Management
  • Classify data by sensitivity and criticality
  • Implement appropriate information security controls
  • Monitor/evaluate controls on an ongoing basis
  • Implement appropriate authentication techniques
  • Keep authentication mechanisms effective
  • Protect storage & transmission of authentication information
  • Control authentication for access to external systems
  • Develop & enforce a strong password policy
  • Use multi-factor authentication when strong passwords fail
  • Use multi-factor authentication for remote access
  • Use multi-factor authentication for system administrators
  • Implement single sign-on systems
  • Control display of information in the log-on procedure
  • Set up emergency access procedures
    Access Control
  • Integrate access control with effective authentication
  • Restrict users knowledge of unauthorized functions
  • Separate security administration functions
  • Assign individual users unique credentials
  • Ensure timely user life cycle management
  • Remove inactive or redundant user accounts
  • Monitor guest/anonymous user accounts
  • Grant access rights based on least privilege
  • Conduct regular reviews of access rights
    Data Protection
  • Use appropriate cryptographic techniques
  • Employ effective key management procedures
  • Use stringent root key protection measures
  • Ensure applications developed with appropriate security controls
    Logging and Reporting
  • Protect logging mechanisms from reactivation or compromise
  • Ensure logged data is accessible for review
  • Capture user & event information
  • Utilize centralized logging
  • Record significant key events
    Coviello currently serves as co-chair of TechNet New England and is a member of TechNets CEO Cyber Security Task Force. He is also a founding board member of the CSIA (Cyber Security Industry Alliance) and was appointed to co-chair of the National Cyber Security Summits Corporate Governance Task Force, a public-private initiative co-organized by the U.S. Department of Homeland Security and leading industry associations. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
    Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel