Security Overview
Gone are the days when our threats were local and visible. In other words,
like the theft who came in by the window, physically manipulated the combination
lock on the safe, and took photographic copies of the documents in the safe.
Today theives are operating around the clock, from different time zones, all electronically
and without our knowledge. Yet we still fell a false sense of security. Out of sight out
of mind. Since we do not see the attack we are lulled into believing we are not a target
and are therefore safe. Wrong!!
Because by nature we humans are to trusting and accommodating we often give away vital
information (digital cookie crumbs) that allow attackers to gain valuable information
about our computer systems. The aim is to find the balance between user friendly and
easily accessible while providing lock down security that prevents data or information
from being stolen by an attacker. We should be protective without being paranoid.
Unfortunately hacking is so easy a child can do it and often is a child. But, whoever
or however it is happening? The fact that we do not immediately see physical results
does not mean it is not happening. The attack may have been already achieved, but the
intruder has not used the information because they are waiting for a better or special
piece of information.
The Key
Security is a process, a state in time. It is NOT a system, fact or set thing.
In other words, security is an ongoing thing (a process). It may be OK and safe
now in this momemnt, but attacked the next by some new vulnerability or method
(stae in time). There is no absolute (fact) or set system that guarantees secrity.
Example: We put in a firewall and presto, we think we are protected. Sorry NO we are NOT !!!!
Admittedly we have some security in place, but maybe not enough? We must consider
the following: Is it correct for our business environment? Is it doing it's job
and being effective? The actual Answer, is it all depends on our environment and
the current configurations being used.
Risk Assessment
The correct approach is to first value our assets. For Financial business
people (like accountants and CFOs) this is an old practice, an asset inventory
register. This is good, but what about our unseen or digital assets? Yes, the
server hardware we have may cost $ 20,000, but how much is the data stored inside
the server worth?
Here is an example: "The hard drive(s) crashed and the accounting data is gone,
no records whatsoever." How much have we just lost?
What price could we put on retaining a set of accurate financial records? That
would give us a good idea of the price of the our accounting files.
Another scenario: "The hard drive(s) crashed and we have lost our employee's
contracts. An employee is currently suing us for wrongful termination."!!!
Now that we have a better idea of the value we can start our security by evaluating
how much we need to spend to protect it.
CALL ISSCP TODAY to help you understand the TRUE value of your computing Assets
The Key to good security is knowing your specific environment using your BCP
(Business Continuity Plan), and creating what is unique to your organization, the
BIA (Business Impact Analysis). Without your personal BCP and BIA, it would be
like Russian roulette, to guess at the true asset value to determine the security it needs.
Do NOT risk your security and ultimately your reputation by poorly implementing
security. Remember also federal compliance regulations now hold senior management
accountable for security weaknesses.
Allow our dedicated staff to help you evaluate your security position.
With each business there are governing rules or compliance laws. For Example:
 Healthcare has HIPAA (Health Insurance Portability and Accountability Act):
They have their own rules and guidelines required by federal law.
Publically traded companies have SOX (Sarbanes-Oxley Act): Which has it's
own rules and guidelines required by federal law.
Anyone handling credit cards has PCI (Payment Card Industry): which has
it's own rules and guidelines thar are required by the major Credit Card companies.
Which one is right for you? Which do you have to abide by? Which compliance
rule pertain to you and requires you to do what? Allow us to help. In
many cases you may have to comply to more than one. Example: Publically
traded life insurance company, is accountable to all three !!.
Once security has been completely installed, the day staff will have
to maintain the current security position in order for security to be
maintained and the company to remain within the compliance boundaries
required by their industry or business type. A single security guard does
not provide security, a roaming security guard constantly checking all
entrances and exits does.
Too often companies begin the security process, but never complete it.
Even worse they may complete it but not maintain it. Security is a
constant state of presence. One ignored policy can result in a total
failure of security. For Example: Not lock the door the day the burglar
attacks. The fact that you locked it every other day (364), and you have
a high grade lock, was all in vain, when the time counted. The problem
with IT security, the "burglars" are trying constantly to gain access.
It is never a one time attempt and seldom is it a single individual.
The problems outlined above dictate why the regulations that are applicable
to your business environment requires someone to be designated as the
security offical, as well as someone outside your business to audit the
current seucirty in operation.
To help small business meet with their
compliance ISSCP is offering an "Umbrella approach". Instead of the small
business having to add and IT department to their already costly structure,
ISSCP can provide security professionals that will study your business needs
and suggest the required security functions in order for you to remain
compliant and safe from the Federal law.
The Umbrella can be opened to
you to cover as much or little as you desire. For instance, you may have
IT personnel on staff but who does your outside audit that's required by
law? ISSCP can help. Or maybe you do not have IT personnel and need
assistance setting security both physical and computer systems, in place,
ISSCP can help. Perhaps you read a book on HIPAA compliancy and have tried
to interpret it for yourself and incorporate it into daily practice.
Commendable, but not profitable if you fail. Non compliance can result
in a fine of $250,000 and 10 years in jail for HIPAA. ISSCP can help.
We also can build secure networks, websites and keep your data stored safely
in short meet all your security needs.
Which is your goal and ours
|
Home
Security
Security Services
Security Audits
SOX Compliance
HIPAA Compliance
Data Storage
Office In Your Pocket
Business Web Presence
Security Blog
Other ISSCP Services
Sitemap
|
