Obtendo o Máximo do Software de Segurança

As empresas cada vez mais preocupam-se com Segurança, na mesma medida em que eventos de desastres naturais, erros humanos e ataques maliciosos são noticias inclusive mundiais.

Os investimentos em Segurança atingiram niveis recordes, e continuam a se elevar na medida em que as instituições procuram tranqulizar seus acionistas e enquadrar-se a novos padrões e exigências legais...

Entretanto, estar seguro é mais do que simplesmente comprar firewalls, antivírus e software de autenticação.

"Boa segurança em TI está relacionada à boa gerência. É mais importante manter atualizações, documentar sistemas e procedimentos do que instalar novos e caros dispositivos de segurança", diz Bart Vansevenant, diretor da prestadora se serviçõs em estratégias de segurança na Ubizen - Europa.

"Ambientes seguros são tipicamente bem documentados, com procedimentos para atualização dos sistemas, estreito monitoramento  e controle dos servidores - é onde segurança faz parte da cultura."

O rpimordial é gerência de uma política de segurança, porque sem uma gerência ativa e a aplicação de uma política, a grande maioria do investimento em tecnologia de segurança é um total desperdício.

A política é o núcleo de qualquer processo de segurança. Ela indica o que deve ser feito e identifica o que é mais importante para a organização e salienta as idéias e objetivos do processo para que todos os compeendam.

Políticas definem a cultura de uma empresa e são cruciais para que esta fique de acordo com muitas regulamentações e leis às quais os negócios devem obedecer.

A boa prática de uma política

A maioria das empresas tem ao menos algumas políticas documentadas, talvez cobrindo um pequenho número de fatores chava para o negócio. Em quanto algumas áreas - especialmente o setor de RH - normalmente tem procedimentos bem estabelecidos, existem outras áreas iportantes que estão frequentemente sofrendo modificações. Frequantemente estes setores em evolução são relacionados à TI, onde os contextos de software e hardware tornam difícil a tarefa de manter a atualização constante e a prestação dos serviços aos usuários da empresa.

But where do you start? For most organisations a security policy needs to be based on business need.

"To formulate an adequate security policy, it is vital that the organisation understands exactly what needs protecting, and from whom," says Gary Clarke, vice president of sales and marketing at Rainbow Technologies.

"Evaluating who within the organisation needs access to certain types of information is key to developing an adequate security strategy. Who should be granted access, for how long and under what circumstances?

"By answering such questions a company can tailor a security policy to its own specific needs, and, once the policy has been recognised and understood across the company, the relevant technology can be implemented to safeguard sensitive information."

For those organisations which do not have the expertise or time to write policies in-house, pro forma policies are available via the internet, often for free or for a nominal fee.

The problem is that the the policy is up-to-date only on the date of purchase. It is the buyer's responsibility to keep it updated. Another disadvantage with these policies is that they can often be difficult to tailor to your own needs.

"Protecting information and ensuring compliance with standards of good practice is an increasingly important part of good business management," says Jason Creasey, senior project manager, at the Information Security Forum. "Organisations need a clear definition of what constitutes good practice in information security."

The Information Security Forum publishes a standard of good practice, one of the most concise available for free.

"The standard provides a framework that has been created through the work and experience of our member organisations," says Creasey.

"It can be used to help an organisation to assess its security situation and performance, along with enhancing awareness, checking compliance with industry standards and regulations and maintaining business integrity."

A more practical option is to bring in an outside consultant to assist with policy drafting - or at least to review what has been produced in-house. This gives all concerned additional peace of mind and may be a more efficient use of management time.

The burden of updating a policy can also be shifted to the third party, allowing the IT department to concentrate on the task of implementation.

---

Best practice through education
The traditional approach to policy deployment is to issue a new employee with a staff handbook - with a clause in the contract obliging them to read the information. The reality, however, is that few people will take the trouble to carefully read a policy handbook, and they are rarely updated.

Baltimore Technologies principal consultant, Ian White says companies must pay more attention to education and communicating the point of their policy to staff, rather than just expecting it to be adhered to.

"One of the most cost-effective security measures that a company can implement is to raise the level of security awareness in staff and customers through the use of a small number of targeted security messages," he says.

Even a modest increase in the general level of security awareness is likely to result in more instances of unusual behaviour being noticed and may deter potential attackers.

Lack of understanding about policies is evident not only on the shop floor, but also in the boardroom. IT departments continue to battle to explain that a policy applies to all.

"The chief executive can unwittingly pose the greatest security threat," says Clarke. "While having unlimited access to all data and systems, it is also probable that he or she is least likely to appreciate the need for security controls.

"Consider the case of the chief executive who finds it difficult to remember new passwords. They inevitably will at best select a weak password, or in the worst case scenario will write down the new password on a Post-It note where it might be found and used by an unauthorised person."

This is a problem for IT departments, which sometimes find themselves placed in an unacceptable position where their authority and responsibility to the business is compromised by senior management.

So as well as laying down the reasons why operational policy is in place, it's also important that a policy details the business and productivity argument.

This, in turn, will make it easier to argue the case with the board on budget, let alone compliance.

"A chief executive's focus is not security, it's ensuring that they get the best for their stakeholders," says Clarke.

"This means that expensive deployments to ensure the security of the company could well be curtailed by the board, because they see the security measures they have in place as adequate because no damage has been done and new deployments are overkill.

"Only when a virus shuts down the network for a few days will they ask why security was not good enough."

While the consequences of not being able to demonstrate the required level of compliance are sometimes purely financial, it would be unwise to underestimate the hidden costs of lost management time and negative publicity that can stem from compliance failure.

Similarly, while penalties for compliance failures have traditionally been a problem for businesses, there is an increasing number of situations where there is a tendency to look behind the corporate veil towards those with stewardship of the organisation. The creation of well-drafted policies and their effective deployment can have a significant impact on minimising the occurrence of compliance breaches.