ARE SECURITY BEST PRACTICES A MYTH ?

23. January 2008, 20:57 | by WD Milner | Full Article

An often used term in business is “best practices”. Generally, this means a commonly accepted, informally standardized set of procedures and policies aimed at a particular goal. But can one really say that the concept can be applied to security?

The whole concept of best practices is, in fact, contextual. While there may be a best practices within an industry or organizational niche, it would be difficult or impossible to carry them across industries. What might be appropriate for one company or organization would not be for another. It might be insufficient, be massively overkill, or not work at all. Each organization needs to look at what others are doing, and integrate such ideas as are appropriate into its own policy and assessment structure and customize as necessary.

The biggest threat to organization is the one that has always existed, not unauthorized access to data, systems and property, but the abuse of those with authorized access. While the threat is not new, there are increasing numbers of new ways to abuse said access. To address this abuse requires consideration of a number of approaches. Limitation of authorized user scope, restriction of access methods, digital rights management and access monitoring. It is a combination of policy, technology and people as a whole that needs to be considered.

Security in the information age is a process, not a project, that periodically restarts at some point to adapt to changing environments. It starts at the policy level and proceeds from there. It needs to be something management can adopt and various departments can implement. These processes require analysis and a forward view as they are cyclical in nature and require long-term operational commitment. The only effective way of getting those with a stake in quantifying security risk and working towards threat mitigation is awareness training. This is regardless of approach as only once all are aware of the issues can any effective measures be taken. From this perspective the only “best practice” is security awareness training for all organizational members, from the janitor to the chairman of the board.

Security is only part of any organization’s operations. There to support and protect its primary activities, it is not, nor should it be, an end in and of itself.

- 30 -

Categories: ,
Keywords: security,best practices,IT,information,access

Comments


 

Commenting is closed for this article.


Article & Comments


Comments are not enabled for all articles or documents.

Article Navigation
|

Categories

Business
Communications
Electronics
Entertainment
Environment
Government
Internet and WWW
Miscellany
Music and Audio
News
Photography
Privacy
Psychology
Security
Society and Culture
Stage and Screen
Technology
Theology
Tips and Tricks
Web Design
Web Site


The Birches - Milner.ca Support Child Safety Online

 

 
 
 Help to FIGHT spam!
 • 
  •
•••