How to choose your IT security level

Aug 1, 1999 12:00 PM, Access Control & Security Systems Integration Staff

Computer information networks - especially the Internet - are the most valuable communication development in the last 40 years. They are here to stay and are the lifeblood of many organizations, so the appropriate level of protection is essential to growth and success.

The first step in choosing computer access controls is to evaluate your needs. A careful cost-benefit analysis is always a good management decision.

Physical controls protect the hardware and physical area without regard for the specific applications. Application controls are safeguards protecting the software and data.

Physical security controls - usually the first line of defense - include: * appropriate design of the data center; * an access management system including either card controls, keypads, biometric identification or other access controls; * shielding against electromagnetic fields; * fire prevention, detection and distinguishing systems; * emergency power shut-off and backup power systems; * sprinklers, water pumps and adequate drainage, although depending on the economics of the system being protected, fire-enveloping Halon gas systems are better solutions; * properly designed and maintained air conditioning systems; and * motion detectors and alarms to detect physical intrusion.

Data security controls protect information from accidental or intentional disclosure to unauthorized persons or from unauthorized modification or destruction. Data security is implemented through operating systems, security access control programs, data communications products, backup/recovery procedures, application programs and external control procedures.

Network security controls include access control, encryption and cable testers. Encryption guards against the alteration of data and against viewing select information during transmission and reception. Authentication in providing access to a network is essential.

A variety of authentication mechanisms may be used. The common techniques for the Internet are account number, password and Internet protocol address.

A second layer of defense is a firewall - a computer device placed between an organization's network and the Internet. The more confidential your information, the more important to restrict access.

Remember: Securing data and information on local computers or networks not accessible via open communication mediums is far less expensive than securing information available on the Internet. This is both a benefit and a block to Internet communication. As long as you plan and use appropriate controls, the Internet is the most revolutionary communication medium since the telephone and television.

Administrative security controls deal with issuing guidelines and monitoring user compliance. These include: * appropriate selection, training and supervision of employees, especially in accounting, security and IS; * fostering company loyalty; * immediately revoking access privileges of dismissed or resigned employees; * requiring periodic modification of access controls; * developing programming and documentation standards; * randomly auditing the enterprise IS at appropriate intervals; and * using public key, private key, encryption or other security measures for telecommunication on the data network.

Management concerns. Today more than ever before, security is a managerial issue. Increased security awareness is important for organizations that are heavily dependent on information technology.

Monitoring security measures and assuring compliance with administrative controls are essential to the success of any security plan. Too many controls can be cost-prohibitive. Conducting a cost-benefit analysis and determining the appropriate level of control are important management tasks.

Furthermore, auditing IS should be institutionalized into the organizational culture. You do it for your insurance company, but it can also save you considerable amounts of money. Again, choose the appropriate level of audit for your organization.

Disasters may occur in any place at any time. It is advisable and cost-effective to plan for disasters and minimize recovery time and expense.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue