Mitigating the Complexities of Security Management

Guest commentary: The world is full of rapidly developing threats. Symantec Senior Director of Product Management Craig Rode explores some of the problems and general approaches that enterprise IT must take in order to keep your soutions ahead of t

Securing your enterprise IT infrastructure can be a complex task. If your computing environment is like most, it is heterogeneous and contains a number of security products from many vendors. You may have diverse intrusion-detection systems, VPNs, firewalls, antivirus software and modems allowing remote users to dial into your network, along with offices in different geographic locations. Potential problems with this scenario arent hard to find. Without a holistic view of the current security structure, how do you go about managing security? Security tools may work well on their own, but how do they work together to protect your network, and how do you monitor their performance?

With todays organizations becoming more global, connected and dynamic in nature, the idea and practice of information security has never been more complex.

Consider the following challenges IT faces in protecting the corporate networking environment:

  • Each week, 60 new software vulnerabilities and 100 new viruses are identified.
  • Customers and stakeholders continue to demand greater levels of services via online systems.
  • Organizations face significant time, budgetary, and personnel constraints.

Traditionally, organizations have relied on a point-product approach to address these issues. However, this has led to a new and seemingly impossible challenge: how to effectively and efficiently manage and mitigate the complexities of this security environment.

Enforcing security policies and regulations
Enterprises need to establish security policies, standards and procedures to enforce information security in a structured way. Conducting a risk assessment will help you to identify and manage the vulnerabilities in your environment. From there, you will be able to develop a proper policy framework and standards and begin constructing a set of policies tailored for your enterprise.

ISO 17799 is one of many government- and industry-based regulations and standards that enterprises are incorporating into their security policies. Your enterprise may also be subject to industry-specific security regulations such as HIPAA and GLBA. These outside policies need to be enforced, in addition to your own in-house policies. Establishing a security policy is one thing—effectively managing and enforcing them is quite another. Keeping access controls, authentication and authorization measures up-to-date on all levels of your network is critical for a security policy to be effective. Any gaps in this information can increase your exposure to threats. Companies may have information security policies in place to protect critical assets and sensitive data, but they rarely have the means effectively to monitor compliance in accordance with that policy.

Continued on Next Page