Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Chapter 1: General Security Best Practices 19 Summary Best practices for computer security have many dimensions. In this chapter, you looked at some of the most important. Security starts with well-defined policies that need to be supported by everyone in the organization--especially the senior management. The policies and procedures form the structure by which the technical security measures will be implemented. Without defined and unambiguous policies, it's impossible to implement effective security. The security policies will vary in specificity and details based on the sensitivity of the data they protect. Ensuring the right level of strictness in developing the policies is important to a successful implementation. Policies that are too restrictive can inadvertently cause insecure behaviors to be practiced. The policies have to be practical and should be based on the tenets of security. I proposed three critical tenets of security--design security into your applications before you begin development, abide by least privileges, and build defense in-depth. These form the guiding principles for employing effective security. With the security policies and security guidelines in mind, it's then time to determine what your environment looks like from a security perspective. Security is about managing risks. Risk assessments and risk analysis are important in determining the current state of security as well as what should be developed to increase security in the future. Asset identification and valuation coupled with risk assessments help you determine how much and what type of security measures you should employ. Without a careful analysis, you won't have properly identified the problems and therefore will not be able to provide effective security solutions.