Home

Wikitip

Diligence and security

Is your organization taking every reasonable step to provide technology security? Of course, there is no such thing as a perfectly secure network, but one of the best ways to satisfy the duty of reasonable protection of a network, beyond compliance, is the exercising of a number of fundamental security principles.

Foremost of these principles is diligence. One key advantage to exercising heightened diligence is that the organization can use these initiatives to establish a better stance on security altogether. They are also able to respond to legal scenarios by demonstrating that it made good-faith efforts to provide security.

Diligence can cover a wide spectrum of focus, but to generalize, staying aware of security and technology developments in the following areas will help an organization's security posture:

• Security Standards – Best practices constantly evolve and adapt to emerging technology and user behavior. Consensus around best practices is therefore always evolving. Look beyond your dusted security standards and reflect these against your organization and what is current on a regular basis. Discovering how your security profile matches up to them can be a very enlightening exercise.
• Regulations – Regulations can provide a benchmark of standard security practices as long as your organization is current and compliant. This is a great base for risk avoidance and a baseline for minimizing legal exposure. While non-compliance by itself typically does not constitute a basis for legal matters, it is typically best to have these matters in order consistently.
• Contracts – Understand the liability your organization accepts when negotiating contracts. Generic disclaimers for security flaws are often non-binding and therefore should not be used. Be specific and cater to your organization’s concerns specifically in all contract matters. Know the extent of liability your organization is accepting.

For example, typically protecting sensitive information, such as PCI-DSS data, requires agreements with vendors. These agreements are created to ensure security requirements. It is critical to isolate information security directives across physical, monitoring, and computing technology domains, with specificity for your organization’s needs. Minimizing risk is the bottom line, and no detail can be too small. If you have questions, ask.

Review the practices your vendors use to support products on your network, and practices that you require of your partners. If you require a vendor to operate in an insecure mode, you may be liable for breaches of its security that can be tied to your requirements.

Minimizing risk to the enterprise is the duty of a responsible and secure organization. This goes beyond typical reactive responses to breach events. It actually delves much further into the health of the organization, minimizing risk, and public perception.

View Another Wikitip

Featured Case Study

Financial giant goes green

The corporate IT group of a very large, worldwide financial organization with 100,000 employees, has initiated an ongoing “greening” process. This is focused largely on reducing energy use both to decrease the corporation's carbon footprint while creating a net savings in operational costs over the lifetime of new, more energy-efficient equipment, including new storage systems.

read more...

Featured How-To Note

Planning a Green Storage Initiative

Fluctuating energy prices have heightened electricity and energy consumption as a major issue within the technology community. IT is a significant consumer of energy and IT energy costs have been rising disproportionately because of continued investment in denser IT equipment. Estimates from the EPA and others indicate that IT will account for 3% of energy consumption by 2012.

read more...