| Story Views | |
| Now: | |
| Last Hour: | |
| Last 24 Hours: | |
| Total: | |
Building Security Requires Comprehensive Approach
When companies are building or upgrading their security, they need to start by getting the perspectives of various stakeholders throughout the firm, according to Ward Spangenburg, director of information security for Pearl.com, who discussed the issue during the SC Congress Chicago conference and expo Thursday.
It’s also important that companies look at security on an enterprise-wide basis, not in silos for different departments, Spangenburg said.
The next step is to consider that feedback along with various intrusion tests to see where any vulnerabilities on a company’s Web site might exist, according to Spangenburg. For the most part, companies should retain those processes that are working. However, sometimes, there are practices or policies that result in more work (e.g., some reports) for some people in the company without actually resulting in improved security. Such counterproductive practices and policies should be scrapped.
From there, the company can conduct a risk analysis to determine what their vulnerabilities are and how to resolve them.
However, Spangenburg admitted that security budgets are limited. So companies have to evaluate what information needs to be secured, putting low levels of security at the perimeter of the company’s network, and adding more layers of deeper in the system. Additionally, the more critical the information (e.g., a customer’s payment data), the more layers of security should be added.
Spangenburg added that compliance rules such as PCI DSS for payment information can provide some guidelines for security. But the compliance rules should not provide the company’s only guidelines for security, only a starting point.
2012-11-09 05:42:49
Source:
