Years ago, “The Gartner Group” has identified three major questions that executives and boards of directors need to answer when confronting information security issues:
> Is your security policy enforced fairly, consistently and legally across the enterprise.
> Would our employees, contractors and partners know if a security violation was being committed?
> Would they know what to do about it if they did recognize a security violation?
In today’s wired world, threats to the information infrastructure of a company or government agency are not static, one time events.
With new ransomware, XaaS, viruses, vulnerabilities, and digital attack tools widely available for download, a “complete information security solution” in place today can easily become incomplete tomorrow.
As a result, a security architecture solution must be flexible, and dynamic.
Presently, news of digital-threat events tends to spread through the computer security world in a “grapevine” manner. Threat information is obtained from websites, e-mail listservs and countless other informal sources.
This haphazard system is incomplete, and therefore raises concern when evaluating the damaging, costly effects of an aggressive, systematic digital attack.
A comprehensive security solution requires the careful integration of People, Processes, Systems and External events.
It shall allow correlation and implementation of a “layered” defense coupled with a firm application of risk-management principles.
To fully protect electronic information architectures, an organization needs current intelligence and analysis that allows constant adjustment and fine-tuning of security measures (e.g., firewalls, intrusion-detection systems, virus protection) to effectively defend against a rapidly changing landscape.
"Threats and vulnerabilities relating to computer networks, websites and information assets must be addressed before an attack occurs. Awareness and the ability to make informed decisions are critical."
How "Proactive" are you?
In short, as the electronic economy plays an increasing role in the private and public sectors, organizations must take advantage of the resulting new opportunities for growth and gains in efficiency and productivity.
Realizing these gains depends on an organization’s ability to open its information architecture to customers, partners and, in some cases, even competitors.
This heightened exposure creates greater risk and makes an organization a more likely target for attack (e.g., information and monetary theft, business disruption).
Furthermore, the cost of critical infrastructure failure climbs exponentially in relation to increasing reliance on increasingly integrated systems.
Your goal into the future is to provide the organization with the following Information Security value propositions:
- A System with Best Practices to Establish, Implement and Monitor Compliance.
- Early Warning & Awareness for the Entire Enterprise.
- Relevant Decision Support.
- Trusted Threat Information/Analysis.
- Actionable Threat Countermeasures.
And remember, a Single Enterprise Security Risk Management System (ESRM) will not solve the operational risk problem without the right processes and the correct people to implement such a solution...
No comments:
Post a Comment