Controls Reduce Security Threats Technology Is Only

Controls Reduce Security Threats

Technology is only a part of the measures it takes to produce a strong, secure information system. Well written security policies can lay the ground work and tell employees what is mandated and required to protect the information system. Remote access should be a part of the security policy to control who does what and what they are allowed to access in the system. Setting standards for the types of devices that are allowed to access the system is equally important.

"Without an effective security policy that addresses procedures, mitigation strategies, and periodic training, all other security programs will be less successful." (Welander, 2007) Technology alone will not protect the information system of the business. Employees need to be trained on the security standards that are set for the company. No matter how secure the system is, employees can let intruders in just by checking personal email or exploring the internet on breaks.

"Controlling which persons and programs have access to the control systems is critical to maintaining security." (Welander, 2007) Employees need to only be allowed the access needed to perform their job duties. Only management employees should have access to allow someone to enter the system and control what they are allowed to do. With management controlling the access, responsibility is placed where it should be without letting others access something they do not need to do the job.

The security policy should address network login with usernames. Passwords should have minimum and maximum length, be complex, and should be changed periodically. Remote access should designate who is allowed to access and do what. What are the system requirements? What software and applications will be allowed? The internet connections need to be explained in the policy. How are computers tracked? How is equipment and media disposed considering harmful effects? How should media be allowed to be used and stored in the system? What is allowed with mobile computers needs to be explained in the security policy. How the system is updated, how often will it be updated, and who is responsible for the updates should be addressed. Any privileges that employees are allowed should be addressed, such as the use of personal email. How applications should be implemented to protect the system should be addressed. Under what conditions are acceptable for the system to be locked down? What services are allowed and not allowed should be stated in the policy. Host intrusion detection should be discussed. The policy needs to state what devices are allowed to access the system. The policy needs to be difficult for attackers to access passwords, such as the use of screensavers. The servers need to be monitored on a continual basis. Incident response needs to be handled by certain people. (CompTecDoc)