Vigilance
- Identify IT security involvement of every enterprise department; share information on policies, responsibilities, incidents and lessons learned.
- Determine required response times for various classes of IT breach; ensure that business arrangements reflect these needs.
- Evaluate insurance policies with regard to IT security threats; resolve any questions of coverage or response.
- Develop positive programs for reinforcing good security practices; promulgate specific consequences for negligence or misconduct that threatens IT assets.
- Integrate security considerations into all project proposals to avoid higher cost and weaker security from downstream add-on measures.
- Implement access control procedures that formalize both the granting and the termination of privileges for both individuals and groups.
- Design security systems for robustness and economy, not just theoretical strength; reflect organization roles in security arrangements, rather than give IT administration undue control of business operations.