Elements of a good security
program:
In General, a good security
program will provide the big picture for keeping the data secure. It represents
the every part of the company stays involved in the program in a holistic
approach. It is not an incident handling guide that happens if a security
breach detected. It’s also not a guide to doing periodic charges, though it
probably does dictate when to do a safety assessment.
It defines what type of data is
involved and which is not, it also evaluates the risks of company faces, and
their plan to decrease them. And it indicates how often the program will be
re-evaluated and updated, and when you will assess compliance with the program.
Designated security officer:
For most security regulations and
standards, having a Designated Security Officer (DSO) is not optional — it’s a
requirement. Your security officer is the one responsible for coordinating and
executing your security program. The officer is your internal check and
balance. This person or role should report to someone outside of the IT
organization to maintain independence.
Risk assessment:
This component identifies and assesses
the risks that your security program intends to manage. This is perhaps the
most important section because it makes you think about the risks your
organization faces so that you can then decide on appropriate, cost-effective
ways to manage them. Remember that we can only minimize, not eliminate, risk,
so this assessment helps us to prioritize them and choose cost-effective
countermeasures. The risks that are covered in your assessment might include
one or more of the following:
·
Physical loss of data. You may lose immediate
access to your data for reasons ranging from floods to loss of electric power.
You may also lose access to your data for more subtle reasons: the second disk
failure, for example, while your RAID array recovers from the first.
·
Unauthorized access to your own data and client or
customer data. Remember, if you have confidential information from clients or
customers, you’re often contractually obliged to protect that data as if it
were your own.
·
Interception of data in transit. Risks include
data transmitted between company sites, or between the company and employees,
partners, and contractors at home or other locations.
·
Your data in someone else’s hands. Do you share
your data with third parties, including contractors, partners, or your sales
channel? What protects your data while it is in their hands?
·
Data corruption. Intentional corruption might
modify data so that it favors an external party: think Trojan horses or
keystroke loggers on PCs. Unintentional corruption might be due to a software
error that overwrites valid data.
