Information Security between Country Lanes and Motorways
by Chris Baur

The real need for IT security in companies: the demand for crumple zones, airbag systems and driving schools in today’s information society.

Today, security is a major issue in every enterprise. But what does it really come down to? Every company produces some service for the market. The company determines costs and prices, optimizes its service provision and then markets the service. Let’s imagine that this company is a vehicle.

So we have a vehicle that is regularly serviced and refueled. But this in itself is not enough because we need to know where we should go. Enter the corporate strategy, which steers us in a particular direction. We use it to plan the route our vehicle will take in order to arrive at its destination. But en route we meet all the other drivers who are heading towards their own destinations on the same streets that we are negotiating. These and other environmental conditions are often unpredictable and they affect our journey.

Company management tries to foresee these events as much as possible and to prepare for different types of emergencies. New dangers also await us on our electronic highways since we often come up against drivers who haven’t passed their test and who interfere with traffic safety. Then there are the joyriders who maliciously set themselves on a collision course with our objectives. Added to this is the fact that traffic has become so heavy that the risks, even beyond the dangers already mentioned, have increased massively. Security and safety measures are therefore crucial. When it comes to actual street traffic, these safety and security measures include driving schools, airbags, crumple zones, recovery services and many others.

The Security Policy Framework
But what about safety and security for electronic traffic? How can we identify all the possible risks on the way to our own destinations or objectives? A range of security technologies, training and education courses, organizational measures and guidelines exist to help with this. However, company-specific adaptation of these elements and the correct combination of elements must be taken into consideration. A Security Policy Framework is created.

Elements of a Generic Security Policy Framework

The first step is the creation of a security strategy: the company leadership is closely involved in this. The strategy contains the company’s principles and values in relation to information security. It explains the “why” in a way that is understood by all employees.

This forms the basis for the security concept. It defines «what» must be done in order to implement the strategy. This concept mostly consists of standardized measures. Standards mean «best practice» methods: compliance with these measures ensures a good basic protection.

Then comes the implementation of these measures. Documents, guidelines and other activities exist which stipulate «how» basic protection can be ensured. They define, in detail, how technologies must be configured, describe the introduction of certain organizational measures, and set out how our company's employees must be sensitized with respect to information security.

It’s not a question of covering every detail of a Security Policy Framework because this would not be appropriate or have the same level of meaning for every company. A generic procedure is used to establish what is important and necessary for an individual company. This is suitable for firms of different sizes:

  1. Develop the security strategy.

  2. Develop the security concept.

  3. Define a security organization.

  4. Develop the catalog of basic protection measures.

  5. Develop and classify a service inventory.

  6. Risk analysis of the services.

  7. Services audit using the catalog of measures previously developed.

  8. Weigh the need for intervention using the audit and risk analysis data.

  9. Implement the prioritized measures.

  10. Regular checks of the implementation and the actual state.

The interplay of all these elements creates the right combination for information security. The appropriateness of the individual elements ensures suitable security for the company, which can be handled and supported by all levels in the hierarchy.

Electronic traffic requires the same level of attention that we've been giving to conventional traffic for a while now. But we must avoid assigning a thirty-mile speed limit to electronic security!