Small & Medium Business

Security Compliance: A Survival Guide

Security Compliance: A Survival Guide

Keeping your network secure is about more than simply protecting it from viruses and hackers. To do business, many of today's companies have to implement strict security measures required by their business partners and the government. Securing your business network may seem daunting, but with careful planning and a little research, you can take steps to safeguard your company. Here are some ways to help ensure that your business runs smoothly, your customers remain happy, and your data remains secure.

Getting Started

  • Build in-depth protection. To fully safeguard your business, your security must intercept all communication between applications and the network. You should determine:
    • Who is allowed access to the network and data
    • Which areas of the network they are allowed to reach
    • What operations each person is allowed to conduct
    • What information they can access and use
    Install firewalls and intrusion prevention systems to help you control who uses the network. You can also add content security to prevent viruses, spam, and spyware and provide control over Web browsing.
  • Create security event logs. Tracking the behavior of an application and collecting and reporting network events can help you adapt to changing threats. Tracking helps you protect network endpoints such as PCs and servers with the latest security software, to keep malicious code from spreading across your business.

Set Up a Response Plan

  • Build a response plan. This plan will help you determine whether an alert represents a serious incident or false alarm, and create reports on current threats.
  • Work with your networking staff. Train your networking staff, as well as business, financial, and legal employees, to participate in a team that puts the response plan into action.
  • Consider outside help. Outsourcing security monitoring and compliance can be more cost-effective than trying to recruit a security expert and provide nonstop network security. Companies often outsource tasks like user and system-activity logging, intrusion detection and prevention, and firewall management.
  • Get educated on incident response. Start with the National Institute of Standards and Technology's Computer Security Resource Center, which publishes a range of security policy guidelines. In addition, the SANS Institute offers the Security Consensus Operational Readiness Evaluation, which seeks to provide a minimum standard for information security procedures. ISO standard 17799 also offers guidelines for security management and incident management.

Find the Source

  • Assess the damage, and find the source of the attack. Security analysis tools can help you catch the perpetrator, identify what data or resources the attacker gained access to, and close security gaps. A threat mitigation tool and security information management (SIM) can help you locate the source of an attack.
  • Keep watch over your network. Use configuration management to keep software on your network consistent, track network changes, and provide up-to-date network visibility. Keeping track of your network configuration can help you be more aware of what's happening on your network and prevent an attack before it happens.

Meet Your Company's Needs

  • Establish company guidelines. You can build and customize security response guidelines to suit your company's unique business needs. Keep lines of communications with managers and other employees open, to involve them in your efforts to protect the business.
  • Regularly review and update the security policy. Be sure that your security policy lists behaviors that are allowed and those that are not allowed. Educate employees so they are aware of the importance of keeping the network safe.
  • Assess risk. Understand the level of risk if a security breach occurs. You may want to change your security policy or business practices to reduce risk.
  • Plan ahead with vendors. Make sure your business partners such as contractors and service providers understand and comply with your security policy. Prenegotiate security contracts and rates with service providers before an incident occurs.

Learn from Experience and Mistakes

  • Host a post-incident meeting. If a security incident occurs, meet with your teams to discuss what went wrong, how to prevent it from occurring again, and lessons learned. Convert these findings into training and education programs for employees. Use e-mail and intranet sites to keep employees up to date on security threats.
  • Stop threats before they occur. Run network vulnerability scans with security software to help ensure that your network remains secure. A good security application can help you discover gaps in your network before a hacker does.

Security Compliance: Did You Know?

  • There are more than 100,000 security regulations worldwide.
  • More than 60 percent of companies that should be complying with the Payment Card Industry Data Security Standard are not yet doing so (SANS Institute, 2007).
  • As of May 6, 2007, more than 150 million records with personal information have been exposed (Privacy Rights Clearinghouse, 2007).
  • COSO offers compliance guidance documents specifically for small public companies.
Did This Website Help?
Ad Banner