Inside Jobs
Roland Jones, Sun Microsystems senior product manager for Java security, said you can spend all of the money in the world on encryption, but security is a bigger package.
"Why go off the deep end and encrypt every little thing, only to find out everyone has their passwords stuck on their computers?" he said.
The whole package includes better business practices, Dumas said. You should train all existing staff and new hires about Internet security and give a refresher course every year. Support should come from the top, down. One way to test your business processes is to think about whom you would call if you discovered a security breach. You should have at least one full-time person dedicated to securing infrastructure.
Finn noted that employee security breaches also are an issue. Insiders often inappropriately use company information.
"There are not any foolproof technological means for preventing that; you have to rely on good procedural measures to address those kinds of risks," he said.
If you have a database server that is storing credit-card information or user profiles, you can do several things to make sure your system can't be compromised. Methods include doing background checks and maintaining strong host security. Host security means locking down and limiting access to your systems where you maintain sensitive information. You should issue policies stating which users are allowed to log in to a computer, who is allowed to maintain systems and how often employees must change passwords. Keep records of who accesses internal systems, and audit what they do when they are connected.
Dumas added that sometimes untrustworthy employees will defend criminal actions by saying that nobody told them breaching inside security was wrong. You should notify employees that you don't permit internal breaches. Another way to maintain security while connected to the Internet is to partner with security companies or organizations. When programmers develop a product, or when web designers create a site, they think about functionality and design rather than security. Asking a cryptologist or security specialist to check out your system can plug security holes. Vestcom's Ward said organizations such as the National Automated Clearinghouse Association are working to set industry standards for EBPP that address security and passing data.
Ward pointed out you should ask your bank how it is enabling electronic information exchange, and follow its lead. Most big banks have their own initiatives and will share them with you. You also should make sure you are dealing with a reputable party before you ask a company to help you. Finn said you can gauge reputation by asking a company if it is certified by the International Computer Security Association. This industry group evaluates firewalls and ensures they meet minimum security criteria. Potential partners should be familiar with the various kinds of attacks that hackers can mount against computer systems. Look for a company with vast experience, and check its references.
Ryan said you can have the best security system in the world, but the real challenge is implementation. Look for vendors with the most experience in security. Government agencies, for example, are not likely to hire amateurs, so references such as post offices or other federal agencies are a good sign the vendor is legitimate.
More:
No comments:
Post a Comment