As information security professionals, we wage a battle every day against an unseen foe. This article discusses just how the battle plans should be drawn. It gives you an understanding of why IT security is not only an ongoing effort, but takes much more effort and resources than most companies or executives are willing to admit. Security is a tactical effort that takes planning, strategy, practice, and an ongoing review and maintenance process. It is an issue of whether or not to hire an outside firm to monitor your systems and review logs and still being able to take care of problems internally without negative impact to financial performance or reputation. Also at issue is knowing when to call in outside help when the problem gets too big for your resources to handle. The author presents a problem and potential understanding that whether you outsource or insource, you will have the same problems; and that planning, procedures, development, testing, and deployment are all critical and ongoing issues for any company's security model. This article includes four primary sections: understanding the problem, developing a solution, judging your fortress, and what will it cost. These are not all the answers, only some potential solutions. Each business will need to identify how much it is willing to spend to develop and which model to choose, deploy, and maintain. On the flip side of that coin, a company will also need to determine how much it is willing to risk losing if it is compromised.
展开▼
机译:作为信息安全专业人员,我们每天都在与看不见的敌人作战。本文讨论了应该如何制定作战计划。它让您了解为什么 IT 安全不仅是一项持续的工作,而且需要比大多数公司或高管愿意承认的更多的精力和资源。安全是一项战术工作,需要规划、战略、实践以及持续的审查和维护过程。这是一个问题,即是否聘请外部公司来监控您的系统和审查日志,并且仍然能够在内部处理问题而不会对财务业绩或声誉产生负面影响。另一个问题是,当问题变得太大而您的资源无法处理时,知道何时寻求外部帮助。作者提出了一个问题和潜在的理解,即无论你是外包还是内包,你都会遇到同样的问题;规划、程序、开发、测试和部署对于任何公司的安全模型来说都是关键且持续的问题。本文包括四个主要部分:了解问题、制定解决方案、判断您的堡垒以及它的成本。这些并不是全部的答案,只是一些潜在的解决方案。每个企业都需要确定它愿意花多少钱来开发,以及选择、部署和维护哪种模型。在硬币的另一面,一家公司还需要确定如果它受到损害,它愿意承担多少损失的风险。
展开▼
