Upfront and secure is Job One for SMBs

Interview

Upfront and secure is Job One for SMBs

Is it OK to use boilerplate security policies that I can download off the Internet?

    Requires Free Membership to View

    Login

    Download CIODecisions Ezine FREE with your registration.

    Get essential editorial insights that senior IT executives need to run IT operations effectively and efficiently. Check out past issues then register to get the latest issue.

    Scot Petersen, Editorial Director, SearchCIO-Midmarket

    By submitting your registration information to SearchCIO-MidMarket.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCIO-MidMarket.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

No. It's OK to download policies, but you've got to apply them to your unique situation. The ones you download may be too strict or not strict enough. The best way to determine which policies you need and how they should be tuned is to perform an information risk assessment. That is, look at the technical and procedural issues surrounding your information systems, determine where your weaknesses are and then develop policies to help turn those weaknesses around. Do you recommend all-in-on security appliances over standalone firewalls, content filtering and antivirus systems?
All-in-one systems are great, especially for smaller organizations. They're often easier to set up and manage. Just remember that they're a single point of failure, so be sure to have a contingency plan in place in case something goes wrong. Based on how dependent your organization is on computers and the Internet, a contingency plan for one of these systems could be as simple as having a next day replacement warranty. Just remember to back up your system configuration so you can restore it quickly to the new system when you receive it.

You've got to find a good balance between security, convenience and usability.
Otherwise, you'll be
public enemy No. 1.
Kevin Beaver
Principal ConsultantPrinciple Logic LLC
How often should I test my 30-node network for security vulnerabilities?
It depends how critical the information is you're trying to protect and how dependent your organization is on the information. If -- and only if -- you regularly keep up with patches, I would suggest an initial test to get a baseline of where you stand and then consider testing for technical vulnerabilities once a quarter or even twice a year. Every situation is different, but this is a general guideline. I've tried locking down my systems, but it only seems to backfire -- users complain about things such as having to remember too many passwords and it takes too long to access shared files on the network. Is there a way to find a balance so I can secure our systems and they can get their work done at the same time?
One of the biggest complaints I hear from end users is that the 'IT department has locked down everything to the point of extreme inconvenience.' Here are some examples: blocking all e-mail attachments, forcing 12-character passwords that must be changed every 30 or 60 days, requiring users to log in two or three times and browsing the network for five minutes just so they can access their home directories.

ll of these things are often seen as legitimate security measures; you've just got to be careful. It all depends on your organization -- the culture, upper management's support for information security, end user awareness and more. You've got to find a good balance between security, convenience and usability. Otherwise, you'll be public enemy No. 1 -- and that's not what you're there for. If you feel the need to lock things down to the point of user aggravation, make sure you have upper management's OK and support first. The bottom line is that you need to keep security as transparent to the end user as possible.

Can my wireless network really be made secure?
Sure, I believe so. There are a ton of hardening techniques, most of which are very simple to implement. I cover a lot of these in another webcast you can find on SearchMobileComputing.com called 'Doing wireless LANs the right way.' I know SearchNetworking.com has some good stuff on this. Also stay tuned to SearchSmallBizIT.com for more contributions from me related to wireless networks.

The neat thing is, there are some good vendor solutions emerging that can help with hardening your wireless systems and help implement the new 802.11i security standard for wireless LANs, so you don't have to worry about the technical issues as much. If you're not 100% sure how secure your airwaves are, it would be beneficial to have someone come in and assess your wireless security to make sure everything is locked down.

What will it take to get my users to create strong passwords and not write them down and leave them laying around their desks?
I think for smaller organizations, desktop versions of PGP and S/MIME are manageable and reasonable. I don't recommend going with an all-out PKI solution unless you're willing to spend the time, effort or money to implement and manage it or bring someone in to do it for you. Another good option is to install an e-mail firewall that supports SSL and TLS and performs encryption at the network perimeter. This takes encryption and other security responsibilities away from end users and can make e-mail security administration a lot easier. You'll just have to determine whether they are worth the price.