Tuesday, September 24, 2002
Went to a seminar recently, one of the Microsoft Executive Circle series. Good speakers, great giveaways!
Treat IT as its own company
- Customer focus
Align IT strategy with business strategy: include IT costs with business items.
"Security is a process, not a product."
- Increased awareness of network vulnerabilities because of viruses.
- Physical security weaknesses came to light on 9\11.
- Enron-type debacles pressure more regulations like security audits.
- Security is everybody's responsibility, and needs to be distributed.
- Set standards & policies
- Educating about those standards
- Auditing for those standards
- Understand business requirements
- 5-year plan: where are we going?
- Define standards (regs, tech, operational)
- Means for measurement
- Risk & threat assessment
- Select criteria from standards
- Add items not in standards
- People: everybody
- Architecture: aligns security with business, sets management expectation
- Awareness: communicate expectations
- Technologies: security products enforce security in support of architecture
- Consolidate data