Click here to receive your FREE subscription to Campus Technology
Security
Where the Risks Are
10/1/2008
Knowing what to spend on data protection and where to focus the effort isn't easy. Security assessments help eliminate the guesswork by identifying where your most critical risks lurk.
CHANCES ARE, SOME ASPECTS of your IT security
setup make you uncomfortable. Maybe it's the server
that's so brittle no one dares install security updates on it.
Maybe it's the use of shared passwords, known to all past
and present IT team members. Maybe it's the overly permissive
firewall; outdated antivirus protection; open WiFi.
Maybe it's the inability to enforce security policies, or the
lack of such policies.
It's difficult to know where to begin improving IT security, because the number of potentially weak areas can be overwhelming. A security assessment helps prioritize the issues, allowing an organization to tackle them in the order of importance. The assessment not only allows IT staff to focus a limited budget on addressing the most critical risks first, but also arms them with facts that could free up additional funding.
To help you get the most out of a security assessment, let's consider which aspects of the environment a security assessment can examine. We'll also discuss how the assessment can be conducted.
What to Examine?
The first step in scoping a security assessment, whether you will conduct it yourself or hire a consultant, is to determine what you'd like to examine. The best way to start is to list your concerns, then group them. The issues often fall into the following categories:
- External network components, which may include systems and devices accessible from the internet or partner networks
- Internal network components, which may include workstations, servers, printers, and other devices used by individuals at your college or university
- Guest or remote networks, which may include mistrusted wireless and wired networks used by visitors or remote VPN users
- Applications and databases, which store sensitive data and allow staff, faculty, and students to conduct important transactions
- Security policies and procedures, which guide personnel in IT and other departments in maintaining or making use of IT infrastructure
The goal of a security assessment often is to examine these areas in some detail, in order to identify vulnerabilities, understand their relevance, and prioritize them by risk. This information will allow the organization or the assessor to develop a remediation plan.
Knowing what to include in the security assessment helps estimate the effort and cost. If you don't have the luxury of examining all pertinent aspects of your environment in a single project, consider starting with the most significant concerns, and cover the other ones in subsequent assessments.
Recommended Reading
- Emerging Tech Challenges
- Interesting Developments
New projector technologies and features offer improved picture quality, reductions in operation and installation costs, and challenge our ideas about where and how projectors can be used.
- 'N' is for Now!
With final approval of the emerging 802.11n standard tantalizingly close, forward-looking colleges and universities are deploying wireless "n" networks. Here's what you'll need to know for your own "n" initiative.
- Put It Online
- The Argument for Open
Is open source business intelligence software ready for prime time? Our feature contributor offers BI watchers the open source ammunition they've been waiting for.
- CT Briefs
