Security is a top-of-mind concern for CIOs and data center managers. In environments where regulatory requirements play a role, it is critical to ensure that organizational data is safe and secure at every access point. Awareness isn’t enough, though. Organizations must be able to gauge their security preparedness. That’s why Logicalis, an international provider of integrated information and communications technology (ICT) solutions and services, has developed a checklist of seven key things to look for in a secure IT environment.
“The cornerstone when securing an IT environment is to classify the data that runs through that environment,” explains Von Williams, director of information security, audits and compliance for Logicalis. “You have to know whether your data is private, confidential or public before you can assign security protocols and policies that will safeguard that data to the extent required for each level of classification.”
According to Logicalis, there are seven key ways to know if an IT environment is operating under a “best practices” approach to data security. Using this checklist as a guide is a good start, but Williams warns that IT security is not a static process and controls must be employed to continually assess and reassess the companywide policies and strategies that keep security in check.
Click through for seven ways to tell if your IT environment is secure, as identified by Logicalis.
Any IT security program must have buy-in from upper management and include an established and communicated commitment from the top down, reaching employees, shareholders and customers alike that demonstrates that this is a company that takes security seriously.
To protect the confidentiality, integrity and availability (CIA) of the data in an IT environment, that data has to be classified as private, confidential or public. There will be more security controls around company financial data (confidential), for example, than around a memo about a company picnic (public).
Policies tell everyone in an organization exactly what to do to protect the CIA of that data. Confidential data may need to be encrypted, and the security policy will dictate exactly what kind of encryption protocol is required to protect something like the company’s sensitive financial data on a user’s laptop. Other examples of security policies include access control, backup, anti-virus, mobile computing and risk management policies to name just a few.
It is important to define what is and what is not “acceptable use” of the tools the company provides to its employees; employees should be asked to read and sign the policy before being granted access to the equipment and the company’s network/data.
It’s not enough to establish policies and define rules if no one in the company knows what those rules and policies dictate. Every employee should know where the security policies are stored (i.e., the company’s intranet) and how to access them. One way to accomplish this is to hold regular security awareness classes that reinforce the company’s policies. Post signs, send out weekly security email reminders and be sure all employees embrace the idea that “security is everyone’s responsibility.”
A critical step in securing an IT environment is to identify all imaginable risk factors. Clearly, more time will be spent assessing the risk to confidential data than to public data. This is an exercise that cannot be taken lightly; without such an assessment, data remains at risk in ways that could have easily been defined and protected.
What happens when there is a data breach? It’s not a question of “if” it will happen, but more one of “when.” How will the company respond? A clearly defined process lays out what constitutes a breach, how to identify it, and who to contact to report a data security breach. Once confirmed, IT must act to contain it as quickly as possible, minimizing the impact on the company. Afterwards, a “lessons learned” session will re-examine the process and create adjustments to avoid a similar circumstance in the future.
