• Prospective Students
• Alumni
• Business & Industry
• Visitors

• Apply Now »
  • Undergraduate
  • Graduate

• Center for Professional Development
• Information Technology & Management
• Industrial Technology & Management
• Professional Learning

Information Technology and Management » Resources » ITM Faculty and Student Papers » Computer security means establishing policies »

Computer security means establishing policies

This article was a TechLink feature in the December 2003 issue of The Business Ledger.

Rate this paper at SecurityDocs.com: 5 - Perfect 4 - Good 3 - Average 2 - Mediocre 1 - Bad

By Ray Trygstad
Everyone seems to be talking about computer and network security these days, and with very valid cause. Attacks on computer systems, especially via the Internet, are on the rise and the sophistication of these attacks continues to escalate at alarming levels.

A recent survey by the FBI and the San Francisco-based Computer Security Institute found that 90% of organizations responding detected computer security breaches within the last year. A full 80% of the 634 businesses, organizations and government agencies responding reported money lost to computer breaches, totaling nearly half a billion dollars—that's over $700,000 on the average for each organization. And yet only 34% of these organizations reported the attacks to law enforcement. Clearly the threat is real, is serious and is growing, and as the sophistication and ease of use of the computer tools used for these attacks increases, they will extend down to even the smallest business.

Ray Trygstad is the Assistant Director for Information Technology of Illinois Institute of Technology's Rice Campus in Wheaton. As an officer in the U.S. Navy, he was an Information Systems Security Manager and had the opportunity to create an information system security program from the ground up. He teaches information system security management, operating systems and virtualization, and information technology management in IIT's Information Technology & Management Degree Program

Once you've accepted the threat as real, what to you need to do? If you listen to computer equipment vendors, you might believe that all you have to do is implement their hardware solutions and you will be safe. Unfortunately this is far from the truth. Installing firewalls and other hardware solutions should be the LAST step in implementing a sound computer and network security program. Computer security has three primary elements: software, hardware and people, and pure hardware or software solutions don't address the human element. The first step should be to create policy, because when you get down to brass tacks, computer security is policies. Policies are created in response to a careful examination of the threats and risks, and are the engine that drives software, hardware and human solutions; they are the only part of the solution that encompass the human element.

Don't know anything about computer security policies? You're not alone: even a lot of seasoned information technology professionals have little or no grasp of even the basics of information security. The good news is that there are a lot of folks out there working to make the information you need to get started freely available. The SANS Institute Information Security Reading Room is an outstanding place to start. Found at http://www.sans.org/rr/, the Reading Room is maintained by the SANS (SysAdmin, Audit, Network, Security) Institute, established in 1989 as a cooperative research and education organization; they develop, maintain, and make available (at no cost) the largest collection of research documents about various aspects of information security. It has an entire section devoted to security policy issues, including the SANS Security Policy Project which attempts to “offer everything you need for rapid development and implementation of information security policies.” You'll also find a great selection of white papers written for every level of knowledge—yes, even for those of you already mentally protesting “but I don't know anything about this stuff!”

A good starting point for those of you in this position might be David Jarmon's “Preparation Guide to Information Security Policies” (at http://www.sans.org/rr/papers/index.php?id=503) which is simply and clearly written to explain just what information security policies are, why you need them and how to go about formulating them. Jarmon tells us that “...a security policy is a plan that defines 'acceptable use' (based upon the acceptable risk) of all electronic media within a company or organization.” The policy is the principal means of addressing the human element in the security equation, and provides the baselines on which hardware and software security implementation decisions are made. Jarmon's white paper addresses the threats as well as training and implementation of the policies. Whether you will create a program in house or seek outsourced solutions, as a manager or executive you need to educate yourself on these issues.

Security policies are only part of an effective computer security program, but they are the core on which the rest of the program is built. If you have not implemented a computer security program, a look at policies is a good place to get started. And you'd better get started, because if you haven't been the the subject of an attack yet, odds are overwhelming that you will be.

---

Illinois Institute of Technology is a private, Ph.D.-granting university.
Document Last Updated by Ray Trygstad
Copyright 2004 Illinois Institute of Technology