Failing to consider security as part of the ongoing support and operations of computer systems is often the Achilles heel of many organizations. It''s easy to locate examples where organizations undermine expensive security measures because of poor documentation, old user accounts, conflicting software, or poor control of maintenance accounts.
This week''s column here at EC Outlook offers a big picture view of ongoing responsibilities to maintain a secure computer and E-commerce installation. Included here are these considerations:
- Software support
- Configuration management
- Backups
- Media controls
- Documentation
- Maintenance
- Interdependencies
Software Support
Software is the heart of an organization''s computer operations, regardless of the size and complexity of the system. As such, it''s essential that software functions correctly and is protected from corruption. Several elements of control are needed for software support.
The first controls what software is used on what systems. If your users or systems personnel load and execute any software on any system, this can cause systems to become more vulnerable to viruses, unexpected software interactions/conflicts, and to other software that may subvert or bypass security controls.
One method of controlling software is to inspect or test software before it is loaded (i.e., to determine compatibility with custom applications or identify other unforeseen interactions/conflicts). This applies to new software packages, upgrades, off-the-shelf products, or to custom software, as deemed appropriate. In addition to controlling the loading and execution of new software, organizations should be cautious with off the shelf or downloaded system utilities. Some of the system utilities are designed to compromise the integrity of operating systems or breach logical access controls.
Another element of software support is to assure that software is not modified without proper authorizations. This involves protecting all software and backup copies. This is often accomplished using a combination of logical and physical access controls.
Many organizations also include on their agendas a program to help assure that software is properly licensed, as required. For example, an organization may audit systems for illegal copies of copyrighted software. This problem is primarily associated with PCs and LANs, but can apply to any type of system.
Configuration Management
Closely related to software support is configuration management -- the process of keeping track of changes to the system and, if needed, approving them. Configuration management normally addresses hardware, software, networking, and other changes; it can be formal or informal. The primary security goal of configuration management is ensuring that changes to the system do not unintentionally or unknowingly diminish security. Some of the methods discussed under software support, such as inspecting and testing software changes, can be used.
For networked systems, configuration management should include external connections. Is the computer system connected? To what other systems? In turn, to what systems are these systems and organizations connected? Note that the security goal is to know what changes occur -- not to prevent security from being changed. There may be circumstances when security will be reduced. However, the decrease in
security levels should be the result of a decision based on all appropriate factors.
IE 7
Firefox 2.0
